SLAE Assignment 1: Bind shell shellcode

Baby steps in NASM Assembly x86

Hint: Its easier to read code on github ! 

SLAE - 970

Hello fellow reader !  In this blog post I will describe how to create several security or offensive shellcodes in assembly language. These exercises are provided for learning purposes by the SecurityTube Linux Assembly Expert courses. I wish you a good reading and do not hesitate to ask questions or post in comments. All the relevant files can be found on the github repo.

Remarks: sharing code and syntax directly from Github, as embedded, is a pain (except if you gist everything). I will use Gist-it app proxy for gisting the github code directly. This is just a notification that we rely on Gist-it javascript and that it may reduce overall security...  but hey... we trust Gist-it :]

1. Introduction / Helpful tooling

In the course, we are provided with a bash script 'compile.sh' for compiling assembly .nasm to ELF using nasm compiler. First this script has an issue which is pretty annoying. If you misspell the target extension (./script target.asm instead of target), it will overwrite and delete your .nasm with empty file. Since  I lost a lot of time and work due to this bug I decided to wrote a more "backup friendly" compile script :

Since we are creating shellcodes, you need to know their purpose. They are most often created to be injected into a running process memory using either overflow or similar bugs. The objective is to run your own arbitrary code. Some injections are limited in what type of bytes you can send to the process ("bad chars"). Most of injections or overflow occurs in strings and as you may know strings in C and in various other languages are terminated by a NULL byte \x00. It means that if you inject your shellcode into a string, when the C process encounter a NULL byte \x00 it will stop copying your string. If your shellcode contains a NULL byte in the middle, only part of your shellcode will be copied. All of this to say that we will try to write shellcodes which do not contains NULL bytes. Please remember that depending on which injection or process you target, your shellcode might need to be stripped off other type of bad chars (such as CR byte \x0a or LF \x0d) and so on...

Now to properly test this injection inside a running process, we will use a C wrapper program, provided inside the courses files.

We need to extract bytecode before copying into the code of the wrapper program. So, I copy pasted a command line from the course to do this. 

As we need to repeat all these steps very often, you probably need another simple bash script which automatically does everything for you.

One last point: the course exam requires that your shellcodes have parameters which are easily modified (like changing port or connecting ip for reverse shell). So we need a last script which can modify these parameter before compiling shellcodes. For the sake of harmonization, I defined all the parameters as `%define parameter X` in the .nasm sources so I can provide a bash script which enable us to modify these parameters in any shellcode. Doh !

2. Not (so) copy-pasted bind shellcode

Now onto the Assignment 1 (AS1). The requirement is that the shellcode needs to be original (so wow!) and we said also previously that we will need to avoid NULL bytes.

Being original is not that easy task given all the writeups for the SLAE out there on the interweb. I first tried to be extra smart and code a super advanced socket reuse shellcode but I realized I am far too newbie to do such cool things (sic). So this first assignment is lacking on the original side. I only tried to get the most simple example (read get it working).

I did not understand (at first) why other guys use complicated XCHG, DEC and similar instructions. After several tries, it was more clear for me why they used XOR EAX,EAX followed by MOV AL,0x01 instead of MOV EAX,0x01... This assignment is somewhat original in the way I replaced instructions to avoid NULL bytes. But in other words, if you look for originality (which can help on the Antivirus dectection bypass part) you better look for the next assignments. :]

The masterplan is the following:
- Create a socket file descriptor 
- Bind the socket to address 0.0.0.0 and a customizable port
- Accept incoming connection from client
- Copy socket file descriptor to STDIN, STDOUT , STDERR of the process
- Execute /bin/sh in the process

I will comment all the instructions directly inside the code as it is easier for me to explain while coding. I recommend to open the code in github if you have issue with the gist-it screen.


That's it for AS1 ! It is quite simple but trust me it feels great after receiving a dozen of  Segfaults and bug fixing for hours that your ncat localhost gives you a shell. If you want to test it, you can compile it with ./bettercompile.sh simplebindshell or with nasm directly, run it with ./simplebindshell and connect to it with netcat. Like this :

Remarks: Never run untrusted shellcode before reading its assembly either through the source code (provided here) or by reversing it. 


See you on the next assignment ! 



This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

SLAE - xxx