Saturday, 14 April 2018

Coding a custom TCP Reverse Shell Shellcode for Linux x86 with Assembly

A shell is a small program that takes input from the user and sends it back to operating system and vice versa. In this writeup I will show you how we can create a custom tcp bind shell shellcode. So how does TCP Reverse exploit shell work ?

In a TCP Reverse shell exploit shellcode is more effective than bind shell. It might happen the victim firewall may block the incoming connection. So instead of opening the port at the victim side we will open a port at the attacker side. We ask the victim machine to connect back to us on successfull execution of the shellcode. So we on attacker side will listen for an incoming connection and when the attacker connect to the listening port,  on the victim side it will open up a shell and transfer the control to the attacker. So the attacker now has a shell access to the victims machine and can run any commands.

So there are few points I need to make clear while I write this post
1. The code that I have written went through  lot of  debugging and modification and I am still modifying ( to minimize , to remove bad characters like  PUSH 0x0 can introduce bad characters so I replaced them with something that had the value NULL and then pushed them to on stack like PUSH ECX )

2. Some code which I have written might look STUPID (for example mov eax,edx  followed by mov edx,eax). I just wrote them to remember few things like ( X will always hold Y data before the operation ) and I am optimizing them still to remove them. As I will keep updating my code , I will continue to remove them)

3. I will try to keep the documentation and the details in the code itself , so that I can constantly modify them from the github instead of modifying them twice , i.e here and in the github again.

Part 1 : Writing a TCP Reverse Shell in C. Now why did we start wring with a C code?

Firstly while coding with C we will use some  function calls which we will re-implement them exactly the same in our Assembly Code
Secondly due to the availability of the documentation in linux. So we can look up any documentation of the function by issuing the "man" command e.g man socket

TCP Reverse Shell Written in NASM , but this has a drawback ( only connect to hardcoded which we will fix in the next code below this code)

We made some changes from the above code so that it can connect to any IP address

Shellcode with configurable IP and Port

This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification:
Student ID: PA-1191