{"id":173,"date":"2018-02-25T11:40:14","date_gmt":"2018-02-25T10:40:14","guid":{"rendered":"http:\/\/pentester.blog\/?p=173"},"modified":"2019-08-18T19:47:32","modified_gmt":"2019-08-18T17:47:32","slug":"slae64-assignment-1-shell-bind-tcp-shellcode","status":"publish","type":"post","link":"https:\/\/hacktarus.fr\/?p=173","title":{"rendered":"SLAE64 – Assignment #1 – Shell Bind TCP shellcode"},"content":{"rendered":"

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :<\/p>\n

http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html<\/p>\n

Student ID: PA-6470<\/p>\n

Assignment #1<\/h2>\n

The aim of this assignment is to create a bind shellcode with a passcode and to remove all 0x00 from opcodes.<\/p>\n

This shellcode opens a TCP socket and listens on port 4444 :<\/p>\n

\"\"<\/p>\n

You can connect to this shellcode using netcat command on port 444 :<\/p>\n

A passcode is required, enter pwd<\/strong> and return key.<\/strong><\/p>\n

Here we are on the \/bin\/sh shell !<\/p>\n

\"\"<\/p>\n

Here are the opcodes of this shellcode, as you can see there are no 0x00 :<\/p>\n

\"\"<\/p>\n

I’ll not detail all parts of this shellcode because there are very similar to the standard TCP bind shellcode seen in SLAE64 course.<\/p>\n

However I’ll explain the passcode code part and how I’ve removed the 0x00.<\/p>\n

First, we need to print a passcode text string. The string I’ve chosen is 12 characters long (with a space character at the end) :<\/p>\n

#passcode : <\/strong><\/p>\n

which is 0x2370617373636f6465203a20<\/strong> in hexadecimal. Due to the stack technique we need to push this value in reverse order <\/strong>\u00a0:<\/p>\n

\t\r\n\tpush 0x203a2065\t\t\t; #passcode : \r\n\tmov rbx, 0x646f637373617023\t; #passcode : \r\n\tpush rbx\r\n<\/pre>\n
Then we can print this text using syscall 1. All syscalls can be found here : http:\/\/blog.rchapman.org\/posts\/Linux_System_Call_Table_for_x86_64\/<\/p>\n
rdi = file descriptor = 1 = stdout<\/p>\n
rsi = text buffer to print = rsp =\u00a00x2370617373636f6465203a20 in reverse order<\/strong><\/p>\n
rdx = text buffer size<\/p>\n
xor rdx, rdx\u00a0 \r\nmov dl, passcode_required_size\r\n\r\nmov rsi, rsp \r\nxor rdi, rdi\r\nmov dil, 1   ; stdout\r\nxor rax, rax\r\nmov al, 1    ; sys_write\r\nsyscall<\/pre>\n
Then we need to ask and wait for user input and store user passcode string in memory. In order to give memory space for user string, I’ve chosen to push 8 characters on the stack and to give this pointer to rsi :<\/p>\n
; user input\r\n        \r\n;mov rdx, buffer_size\r\nxor rdx, rdx\r\nmov dl, buffer_size\t\r\n\r\n;mov rsi, buffer\r\nmov rbx, 0x0101010101010101\r\npush rbx\r\nmov rsi, rsp\r\n\r\nxor rdi, rdi   ; stdin\r\nxor rax, rax \r\nsyscall        ; sys_read<\/pre>\n
Then we need to check passcode. First I put the correct passcode\u00a0pwd0x0a\u00a0<\/strong>on the stack\u00a0<\/strong>and store it in rdi pointer register. Then whithin a loop I compare each character from user input (rsi register) with each character from correct passcode (rdi register). If there is a difference I jump to the exit code part. If all is OK I just continue to the standard shellcode part.<\/strong><\/p>\n
In order to remove 0x00 I’m using :<\/p>\n