Jieun Song2014.12.04
Port-Binding & Connect-Back Shell-code
Port Binding and Connect-back Shellcode
2
• Limitation of the Local Shellcodes– When exploiting a remote program, the local shell-code
cannot open the shell to the attacker on a remote place– The injected shellcode needs to communicate over the
network to deliver an interactive root prompt
• Port-binding Shellcode and Connect-back Shell-code– The shellcodes work as a network server / a network
client– An attacker can use a shell at a remote place through a
network connection
Contents
Basic of Socket Programming and Network Connection• Server side• For better understanding of Port-binding Shellcode
• Client side• For better understanding of Connect-back Shellcode
Socket Programming in Assembly
How to make a Port-binding Shellcode
Difference between Port-binding and Connect-back
How to make a Connect-back Shellcode
Demonstration
3
Socket Programming
• A.k.a Network Programming– Making a program which has network communication ca-
pability• Socket
– An interface, a data structure, and a descriptor– Commonly used at both of server and client side
• End-to-end Interface– Working on the transportation level (L4)
4
Socket Communication Mechanism
• Brief Work Flow of Socket Programming
5
Server Side Socket Programming (1/6)
• Socket Creation: ‘socket()’- Socket constructor for a server or a client
- Parameters- af : Address Family
- AF_INET : IPv4- AF_INET6 : IPv6- AF_UNSPEC : Unspecified
- type : Socket Type- SOCK_STREAM : TCP Stream- SOCK_DGRAM : UDP Datagram
- protocol : ICMP, IGMP, TCP, UDP, and etc.
6
Server Side Socket Programming (2/6)
• Binding a Socket to a Port : ‘bind()’
- Parameters- s : a socket created by socket()- name : a pointer of socket address structure (sockaddr)- namelen : length of the socketaddr structure
- Return- Error code
7
Server Side Socket Programming (3/6)
• Socket Address Structure : ‘sockaddr’ & ‘sock-addr_in’
• Sockaddr : General address structure– sa_family : Socket address family– sa_data[14] : Addresses data in various formats
• sockaddr_in : Only for IPv4 Addresses– sin_family : Should be AF_INET (IPv4 Address family)– sin_port : TCP/UDP Port number– sin_addr : 32 bits IPv4 address
8
Server Side Socket Programming (4/6)
• Open Listen Port : ‘listen()’– Now this socket and the bound port work as a server
• Parameters– s : a Socket used for listen the incoming connections– backlog : the maximum queue size for connection re-
quests
• Return– Error code
9
Server Side Socket Programming (5/6)
• Accept an Incoming Connection: ‘accept()’– ‘Accept’ makes a communication socket newly with a
new port– The ‘listen’ socket and port are not the communication
socket
• Parameters– s : Listen socket (Input)– addr : Address of the accepted client (Output)– addrlen : Length of available(Input), and returned (Out-
put) address structure
• Return– Communication socket
10
Server Side Socket Programming (6/6)
• Data Communication : ‘read()’ and ‘write()’– send() and receive() in some system calls
• Disconnection : ‘shutdown()’ and ‘close()’– shutdown send the disconnection message to the other
side• It declares that the socket will not send/receive the data
anymore• Shutdowned socket waits to the ‘FIN_ACK’ from the other
side
– Close blocks the every functionality and resources of the socket
• Close without clear shutdown makes ‘dirty closed’ sockets
11
Client Side Socket Programming
• Socket Creation, Communication, and Discon-nection– Identical to the server side socket
• Connection : ‘connect()’
• Parameters- s : Socket for communication- name : Pointer of the server address structure- namelen : Length of the server address structure
12
Socket Programming in Assembly (1/2)
• These socket functions can all be accessed with a single Linux system call, aptly named socketcall()
13
• Syscall number : 102
• Socket(), bind(), listen(), and ac-cept() can be called with syscall 102
• Syscall 102 with ebx• ebx = 1(Constructor)• ebx = 2(SYS_BIND) • ebx = 3(SYS_CONNECT)• ebx = 4(SYS_LISTEN)• ebx = 5(SYS_ACCEPT)- How to use a system call
- mov BYTE al, 0x66 ; System call number in eax, 0x66 = 102- mov ebx 0x01 ; Function code for Constructor 0x01 in ebx- … push parameters in the stack …- int 0x80 ; System call interrupt 0x80
Socket Programming in Assembly (2/2)
• How to send a command and get result of a shell through a socket?– A socket is also a File Descriptor(FD)
• Copy Standard FD to a Socket FD– Make a shell enable to write the com-
mand and read the result on the socket– A console input as a socket input– A console output as a socket output
• Dup2( oldfd, newfd) – Systemcall to Set a newfd to a oldfd– Systemcall number : 63– FD: 0 (StdInput), 1(StdOutput), 2(StdErr)
14
• How to call the Dup2()• eax : 0x3F ; systemcall number 63• ebx : old Socket FD• ecx : new FD• int 0x80 ; Systemcall interrupt
How to Make a Port-binding Shell-code
15
; “Socket Creation“; “socket = socket(AF_INET, SOCK_STRAM, 0)”
How to Make a Port-binding Shell-code
16
; “Binding a port to the created socket“; “bind(sock, (struct sockaddr *)&&host_addr, sizeof(struct sockaddr))”
How to Make a Port-binding Shell-code
17
; “Request to the kernel to use the socket for listening the connection“; “listen(sock, 4)”
How to Make a Port-binding Shell-code
18
; “Accept and make a connection with a client“; “accept(sock, NULL, 0)”
How to Make a Port-binding Shell-code
19
; “dup2“; “Set StdInput(0), StdOutput(1), StdErr(2) to the Socket FD”
How to Make a Port-binding Shell-code
20
• Making a Shellcode• Get a machine language by compiling a shell-
code
• Lastly, we’ve got a 92 Bytes of port-binding shellcode
Port-binding Shell-code vs Connect-Back Shell-code
P
② Server PortOpen and ListenPort-binding Shell-code
Attacker Victim
① Port-binding Shell-codeInfection
③ Connection from At-tacker
④ Shell Open
Connect-back Shell-code
P
② Client PortOpen and Connect
Attacker Victim
① Connect-backShell-codeInfection
③ Connect-back from Shell-code
④ Shell Open
Port-binding vs Connect-backDifference in Codes
Shell Open
execve(“/bin//sh”)
File Descriptor Dupli-cationdup2()
Server Connectionconnect()
Socket Creationsocket()
Port-binding Connect-back
Different
Identical
Iden
tica
l
Connect-back Shell-codePros-and-Cons
• Pros– Firewall evasion
• No inbound connection
• Cons– Pre-defined Connect-back Address
• Attacker’s IP addresses can be revealed• Disable to change server IP addresses
– Domain names are utilizable but still risky to the at-tacker
– No time-on-demand shell• Attackers must wait the incoming connection
Connect-back Shell-codeIn-a-Nutshell
• Connecting IP address : 192.168.42.74(attacker’s ip)