domingo, 4 de agosto de 2013

Writing Bind Tcp Shellcode Linux/x86

Erase una vez en un pueblo my lejano....


As a part of SecurityTube Linux Assembly Expert (SLAE) course, I explain my solution of the first assignment “Create a Shell Bind TCP shellcode”.

I think that these course is a great opportunity to understand how create , analyse shellcode and the most important "think out the box" . 
1.  Nasm
2.  Ld
3.  Gcc
4.  Objdump
5.  Libemu
6.  Gcc
7.  Strace

Poc Bind Tcp Shell Program:

Before coding our shellcode in assembly language, is a good idea coding a POC program with the same functionality of our shellcode. These help us to understand in a “high level way” how can we coding  our shellcode.


As part of the code I put some comments to identify all the systems call use to program to bind a tcp port, but how can i verified that?, well a simple way is using the strace tool in our linux box:

As you can see there are six important system call in our program :

1.     Socket
2.     Bind
3.     Listen
4.     Accept
5.     Dup2
6.     Execve

For more information about these system call see the man page in your linux box.

Generating our Bind Tcp Shellcode:

At this point we have identified the system calls and the flow of the program:

1.        Create a socket (socket call)
2.        Prepare the socket to listen a connection in determinate port (bind call)
3.        Listen a connection (listen call)
4.        Accept the connection (accept call)
5.        Spawn the shell (dup2,execve call)

All we have to do now is translate that in assembly language. For do that i used some bash script to simplified the process of compilation. For more details about how coding the shellcode visit my Github page.

One interesting tool the I dont know until now is libemu. Libemu is a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics. It is designed to be used within network intrusion/prevention detections and honeypots. Using the functionality of libemu we can emulate our shellcode and get a visual perspective between other things.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE-437

No hay comentarios:

Publicar un comentario en la entrada