Assignment Goals (SLAE-1530)
1) Create a TCP Bindshell Shellcode for Linux x86-32.
2) The port number should be easily configurable.
3) Bonus if getting referenced in exploit-db or shell-storm.
TCP Bindshell Principle
In few words, a TCP Bindshell is a tiny server program that waits for new clients on a specific port.
When a new client connects to the server it will spawn a new shell (Ex: /bin/bash
or /bin/sh
) and "binds" its file descriptors stdin
(0) stdout
(1) stderr
(2) to the new client socket.
Yes, a socket is nothing more than a file.
One infamous method to easily create a bindshell is to use Netcat
as following:
root@local:# mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc -lvp 443 1>/tmp/backpipe
When you connect to port 443
(with any dumb client program ex: Netcat
, Telnet
) you will get remote control over shell instance.
user@local:$ nc 127.0.0.1 443
Assignment Goals (SLAE-1530)
1) Create a TCP Reverse Shellcode for Linux x86-32.
2) The port number should be easily configurable.
3) The IP address should be easily configurable.
3) Bonus if getting referenced in exploit-db or shell-storm.
TCP Reverse Shell Principle
In first exercise we learnt how to create our own TCP Bindshell shellcode using few syscalls (socketcall()
, dup2()
and execve()
).
A reverse shell is almost identical to a classic bindshell, this time instead of having a shellcode that listen for new clients, we will create a shellcode that will connect back to a remote server.
Fortunately, on Linux by default, we do not have any restrictions to manage sockets in client mode.