SLAE Assignment 2: Reverse shell shellcode

Getting off the beaten track with UDP shellcode 

Hint: Its easier to read code on github ! 

Welcome back fellow reader ! Today I will show you how I did the reverse shell shellcode for Assignment 2 of the SLAE course.

Designing the shellcode and tools

I decided to go for an UDP reverse shell for several reasons :
- I need to inject some originality to my shellcode (required)
- I might need to propose the shellcode to shellstorm database (grants extra points)
- I want to code something useful for the community as well as for future pentests. 

Indeed, during pentesting assignment we often stumble upon restrictive iptables rules. But quite often, system administrators let egress port 53 UDP pass trough to any external IP for DNS requests (or they forgot UDP). It can be quite handy to have a reverse shell using this hole.

Important notes there :
- Contrary to the bindshell (i.e. binds to 0.0.0.0, does not contain null byte by default), this shell code contains parameter (connect back ip and port) that you can specify;
- These parameters might contain null byte if you pick port or address containing null byte in their hex form.
example : port is coded on two bytes, port 1234 contains no null byte (0x31323334), port 53 contains null byte  (0x3500) ;
- If we want to use port 53 we need to avoid null byte;
- There is an issue with UDP over 127.1.1.1 (one message can be sent then the connection is dropped...) so we will use 127.0.0.1 for test purpose (mind that it contains null byte though so please specify a non null byte address in %define when using it);

  I made the shellcode ready for port 53 by default but you can use variable port as well. You just need to comment the flagged lines in the .nasm. As a reminder, you can check null bytes with objdump -D elf | grep --color '00'.

Coding the UDP reverse shellcode 

I must admit i was pretty impressed with the linux syscall API after this assigment 2 as it was pretty quick to make the switch to UDP and it worked from scratch.

The masterplan (of syscalls) is as follows :

- Create a socket file descriptor with SOCK_DGRAM type (UDP)
- Connect to the designated IP over designated port
- Send a message to this connected socket (I think it might help for statefull firewall here but I might be wrong) and notify the listener that you are ready to serve shell
- Duplicate socket fd to stdin, stdout, stderr
- Spawn a /bin/sh shell

Without further ado here is the code with comments :

Its quite short :]. Lets see it in action.

Good.

This shellcode has been submitted to shell-storm and exploit-db database. (Status: emails sent)

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

SLAE - xxx