Jieun Song2014.12.04

Port-Binding & Connect-Back Shell-code

Port Binding and Connect-back Shellcode

2

• Limitation of the Local Shellcodes– When exploiting a remote program, the local shell-code

cannot open the shell to the attacker on a remote place– The injected shellcode needs to communicate over the

network to deliver an interactive root prompt

• Port-binding Shellcode and Connect-back Shell-code– The shellcodes work as a network server / a network

client– An attacker can use a shell at a remote place through a

network connection

Contents

Basic of Socket Programming and Network Connection• Server side• For better understanding of Port-binding Shellcode

• Client side• For better understanding of Connect-back Shellcode

Socket Programming in Assembly

How to make a Port-binding Shellcode

Difference between Port-binding and Connect-back

How to make a Connect-back Shellcode

Demonstration

3

Socket Programming

• A.k.a Network Programming– Making a program which has network communication ca-

pability• Socket

– An interface, a data structure, and a descriptor– Commonly used at both of server and client side

• End-to-end Interface– Working on the transportation level (L4)

4

Socket Communication Mechanism

• Brief Work Flow of Socket Programming

5

Server Side Socket Programming (1/6)

• Socket Creation: ‘socket()’- Socket constructor for a server or a client

- Parameters- af : Address Family

- AF_INET : IPv4- AF_INET6 : IPv6- AF_UNSPEC : Unspecified

- type : Socket Type- SOCK_STREAM : TCP Stream- SOCK_DGRAM : UDP Datagram

- protocol : ICMP, IGMP, TCP, UDP, and etc.

6

Server Side Socket Programming (2/6)

• Binding a Socket to a Port : ‘bind()’

- Parameters- s : a socket created by socket()- name : a pointer of socket address structure (sockaddr)- namelen : length of the socketaddr structure

- Return- Error code

7

Server Side Socket Programming (3/6)

• Socket Address Structure : ‘sockaddr’ & ‘sock-addr_in’

• Sockaddr : General address structure– sa_family : Socket address family– sa_data[14] : Addresses data in various formats

• sockaddr_in : Only for IPv4 Addresses– sin_family : Should be AF_INET (IPv4 Address family)– sin_port : TCP/UDP Port number– sin_addr : 32 bits IPv4 address

8

Server Side Socket Programming (4/6)

• Open Listen Port : ‘listen()’– Now this socket and the bound port work as a server

• Parameters– s : a Socket used for listen the incoming connections– backlog : the maximum queue size for connection re-

quests

• Return– Error code

9

Server Side Socket Programming (5/6)

• Accept an Incoming Connection: ‘accept()’– ‘Accept’ makes a communication socket newly with a

new port– The ‘listen’ socket and port are not the communication

socket

• Parameters– s : Listen socket (Input)– addr : Address of the accepted client (Output)– addrlen : Length of available(Input), and returned (Out-

put) address structure

• Return– Communication socket

10

Server Side Socket Programming (6/6)

• Data Communication : ‘read()’ and ‘write()’– send() and receive() in some system calls

• Disconnection : ‘shutdown()’ and ‘close()’– shutdown send the disconnection message to the other

side• It declares that the socket will not send/receive the data

anymore• Shutdowned socket waits to the ‘FIN_ACK’ from the other

side

– Close blocks the every functionality and resources of the socket

• Close without clear shutdown makes ‘dirty closed’ sockets

11

Client Side Socket Programming

• Socket Creation, Communication, and Discon-nection– Identical to the server side socket

• Connection : ‘connect()’

• Parameters- s : Socket for communication- name : Pointer of the server address structure- namelen : Length of the server address structure

12

Socket Programming in Assembly (1/2)

• These socket functions can all be accessed with a single Linux system call, aptly named socketcall()

13

• Syscall number : 102

• Socket(), bind(), listen(), and ac-cept() can be called with syscall 102

• Syscall 102 with ebx• ebx = 1(Constructor)• ebx = 2(SYS_BIND) • ebx = 3(SYS_CONNECT)• ebx = 4(SYS_LISTEN)• ebx = 5(SYS_ACCEPT)- How to use a system call

- mov BYTE al, 0x66 ; System call number in eax, 0x66 = 102- mov ebx 0x01 ; Function code for Constructor 0x01 in ebx- … push parameters in the stack …- int 0x80 ; System call interrupt 0x80

Socket Programming in Assembly (2/2)

• How to send a command and get result of a shell through a socket?– A socket is also a File Descriptor(FD)

• Copy Standard FD to a Socket FD– Make a shell enable to write the com-

mand and read the result on the socket– A console input as a socket input– A console output as a socket output

• Dup2( oldfd, newfd) – Systemcall to Set a newfd to a oldfd– Systemcall number : 63– FD: 0 (StdInput), 1(StdOutput), 2(StdErr)

14

• How to call the Dup2()• eax : 0x3F ; systemcall number 63• ebx : old Socket FD• ecx : new FD• int 0x80 ; Systemcall interrupt

How to Make a Port-binding Shell-code

15

; “Socket Creation“; “socket = socket(AF_INET, SOCK_STRAM, 0)”

How to Make a Port-binding Shell-code

16

; “Binding a port to the created socket“; “bind(sock, (struct sockaddr *)&&host_addr, sizeof(struct sockaddr))”

How to Make a Port-binding Shell-code

17

; “Request to the kernel to use the socket for listening the connection“; “listen(sock, 4)”

How to Make a Port-binding Shell-code

18

; “Accept and make a connection with a client“; “accept(sock, NULL, 0)”

How to Make a Port-binding Shell-code

19

; “dup2“; “Set StdInput(0), StdOutput(1), StdErr(2) to the Socket FD”

How to Make a Port-binding Shell-code

20

• Making a Shellcode• Get a machine language by compiling a shell-

code

• Lastly, we’ve got a 92 Bytes of port-binding shellcode

Port-binding Shell-code vs Connect-Back Shell-code

P

② Server PortOpen and ListenPort-binding Shell-code

Attacker Victim

① Port-binding Shell-codeInfection

③ Connection from At-tacker

④ Shell Open

Connect-back Shell-code

P

② Client PortOpen and Connect

Attacker Victim

① Connect-backShell-codeInfection

③ Connect-back from Shell-code

④ Shell Open

Port-binding vs Connect-backDifference in Codes

Shell Open

execve(“/bin//sh”)

File Descriptor Dupli-cationdup2()

Server Connectionconnect()

Socket Creationsocket()

Port-binding Connect-back

Different

Identical

Iden

tica

l

Connect-back Shell-codePros-and-Cons

• Pros– Firewall evasion

• No inbound connection

• Cons– Pre-defined Connect-back Address

• Attacker’s IP addresses can be revealed• Disable to change server IP addresses

– Domain names are utilizable but still risky to the at-tacker

– No time-on-demand shell• Attackers must wait the incoming connection

Connect-back Shell-codeIn-a-Nutshell

• Connecting IP address : 192.168.42.74(attacker’s ip)

• DEMO

25

Thank you!

26