by

Creating Custom TCP Reverse Shell | Linux x86

Introduction

Reverse TCP shell consist of three syscalls, one for setting up socket that includes socket(), connect() functions. The second syscall is dup2() for file descriptors, and the last syscall execve() is used to spawn shell upon successful TCP connection. Please note that most of the functions mentioned here have already been covered in my previous blog post TCP Bind, hence this post will only focus on connect() function, which is the main difference between bind and reverse shell! The post will then conclude by tying all the pieces together to create working shellcode.

socket()

socket() is used to create medium for communication, for more information on this function please refer to TCP Bind blog post. let’s code!

connect()

This is where we’re going to spend most of our time, connect() function basically connect a socket referred to by sockfd file descriptor to an address specified by addr, and it consist of three arguments as shown below

sockfd is used to point to socket() created earlier, hence we will save its address to “ESI”. addr is where we specify our desired IP address and it’s broken down to three parts as shown below

Now sin_family is pretty self-explanatory so will go with “AF_INET”, which according to the first code block in socket() translates to “2”.  Also we’ll go with “1337” for sin_port and “192.168.80.129” for sin_addr both values needs to be pushed in network byte order “big-endian”, and here’s why RFC1700. The last argument would be addrlen which defines the size of addr in bytes, “16” in our case. Let’s identify ID for connect() function “EBX”

Back to the terminal

dup2()

dup2() is used to duplicate file descriptors, for more information on this function please refer to TCP Bind blog post. some more code!

execve()

execve() is used to execute a program, for more information on this function please refer to TCP Bind blog post

Final Shellcode

Now that we have all the pieces of the puzzle, let’s compile and test and then create python script that takes an IP address and port number and add it to our custom shellcode, here’s final code

Here’s graphical version of it

Demo time!

Let’s dump shellcode and then use it to create python script

Here’s the script

Running the script with same ip address and port will output exact same shellcode generated earlier!

Closing Thoughts

This post is continuation of TCP Bind one, hence did not have much information outside what we’ve already learned. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel . All of the code is available on on my github as shown in the link below. Hope this post has been a good resource and I’d like to thank you for viewing!

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:    SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%202

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *