Linux TCP Reverse Shell from Scratch with Intel x86 Assembly
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Student ID: SLAE-975
Assignment number: #2
Github repository: https://github.com/amonsec/SLAE/tree/master/assignment-2
Note, this post will not be as deep as the previous because only few things change and the process is the same. So to fully understand this one, I highly recommend you to read this one first: https://amonsec.net/training/linux-assembly-x86/2018/linux-tcp-bind-shell-from-scratch-with-intel-x86-assembly
The aim of this post is to create from scratch a Linux TCP reverse shell with Intel x86 Assembly instead of using Metasploit. It’s always a good thing to create his own shellcode because:
- You know what you are using
- You have a small custom shellcode
- It’s fun
What you need in order to reproduce the process:
- A Linux x86 system (Kali Linux in my case) and
- Your brain (and maybe a cup a coffee or eight)
What is a TCP reverse shell?
A TCP reverse shell, is a program that’s try to connect to a given port and host address in order to execute a shell.
The main difference between a bind shell and a reverse shell is that the reverse shell, in most cases, can bypass firewall rules because it’s the target that connects to the attacker and not the reverse. Why that? Because outbound firewall rules are, in most cases, less restrictive than inbound firewall rules.
The following C code is an example of a TCP reverse shell:
The only difference here is that we don’t binds and wait for an incoming connection with the bind and listen function.
Instead, we are using the connect function to connects to a given remote host and port:
The rest of the code is the same and works the same way. Let’s compile and see if it works:
We are ready to create our assembly code.
From C to Assembly
Create our socket
Connect our socket
The first thing that we need to do now is to convert both the IP address in big indian format. For that I wrote a simple python script to automatise the process:
Note, you can use every IP address that you want. In my case I didn’t use 127.0.0.1 in order to avoid null bytes (0x00).
Duplicate our File Descriptor
The loop version:
The basic version:
Execute the shell
We can compile it now:
Like the previous post, now it’s time to write a python script to automatize the creation of the reverse shell for a given port and IP address. First, we extract the shellcode:
With the shellcode, we can write our python script: