Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jieun Song 2014.12.04 Port-Binding & Connect-Back Shellcode.

Published byPoppy Stephens Modified over 9 years ago

Similar presentations

Presentation on theme: "Jieun Song 2014.12.04 Port-Binding & Connect-Back Shellcode."— Presentation transcript:

1 Jieun Song 2014.12.04 Port-Binding & Connect-Back Shellcode

2 Port Binding and Connect-back Shellcode 2 Limitation of the Local Shellcodes –When exploiting a remote program, the local shell-code cannot open the shell to the attacker on a remote place –The injected shellcode needs to communicate over the network to deliver an interactive root prompt Port-binding Shellcode and Connect-back Shellcode –The shellcodes work as a network server / a network client –An attacker can use a shell at a remote place through a network connection

3 Contents Basic of Socket Programming and Network Connection Server side For better understanding of Port-binding Shellcode Client side For better understanding of Connect-back Shellcode Socket Programming in AssemblyHow to make a Port-binding ShellcodeDifference between Port-binding and Connect-backHow to make a Connect-back ShellcodeDemonstration 3

4 Socket Programming A.k.a Network Programming –Making a program which has network communication capability Socket –An interface, a data structure, and a descriptor –Commonly used at both of server and client side End-to-end Interface –Working on the transportation level (L4) 4

5 Socket Communication Mechanism Brief Work Flow of Socket Programming 5

6 Server Side Socket Programming (1/6) Socket Creation: ‘socket()’ -Socket constructor for a server or a client -Parameters -af : Address Family -AF_INET : IPv4 -AF_INET6 : IPv6 -AF_UNSPEC : Unspecified -type : Socket Type -SOCK_STREAM : TCP Stream -SOCK_DGRAM : UDP Datagram -protocol : ICMP, IGMP, TCP, UDP, and etc. 6

7 Server Side Socket Programming (2/6) Binding a Socket to a Port : ‘bind()’ -Parameters -s : a socket created by socket() -name : a pointer of socket address structure (sockaddr) -namelen : length of the socketaddr structure -Return -Error code 7

8 Server Side Socket Programming (3/6) Socket Address Structure : ‘sockaddr’ & ‘sockaddr_in’ Sockaddr : General address structure –sa_family : Socket address family –sa_data[14] : Addresses data in various formats sockaddr_in : Only for IPv4 Addresses –sin_family : Should be AF_INET (IPv4 Address family) –sin_port : TCP/UDP Port number –sin_addr : 32 bits IPv4 address 8

9 Server Side Socket Programming (4/6) Open Listen Port : ‘listen()’ –Now this socket and the bound port work as a server Parameters –s : a Socket used for listen the incoming connections –backlog : the maximum queue size for connection requests Return –Error code 9

10 Server Side Socket Programming (5/6) Accept an Incoming Connection: ‘accept()’ –‘Accept’ makes a communication socket newly with a new port –The ‘listen’ socket and port are not the communication socket Parameters –s : Listen socket (Input) –addr : Address of the accepted client (Output) –addrlen : Length of available(Input), and returned (Output) address structure Return –Communication socket 10

11 Server Side Socket Programming (6/6) Data Communication : ‘read()’ and ‘write()’ –send() and receive() in some system calls Disconnection : ‘shutdown()’ and ‘close()’ –shutdown send the disconnection message to the other side It declares that the socket will not send/receive the data anymore Shutdowned socket waits to the ‘FIN_ACK’ from the other side –Close blocks the every functionality and resources of the socket Close without clear shutdown makes ‘dirty closed’ sockets 11

12 Client Side Socket Programming Socket Creation, Communication, and Disconnection –Identical to the server side socket Connection : ‘connect()’ Parameters -s : Socket for communication -name : Pointer of the server address structure -namelen : Length of the server address structure 12

13 Socket Programming in Assembly (1/2) These socket functions can all be accessed with a single Linux system call, aptly named socketcall() 13 Syscall number : 102 Socket(), bind(), listen(), and accept() can be called with syscall 102 Syscall 102 with ebx ebx = 1(Constructor) ebx = 2(SYS_BIND) ebx = 3(SYS_CONNECT) ebx = 4(SYS_LISTEN) ebx = 5(SYS_ACCEPT) -How to use a system call -mov BYTE al, 0x66 ; System call number in eax, 0x66 = 102 -mov ebx 0x01 ; Function code for Constructor 0x01 in ebx -… push parameters in the stack … -int 0x80 ; System call interrupt 0x80

14 Socket Programming in Assembly (2/2) How to send a command and get result of a shell through a socket? –A socket is also a File Descriptor(FD) Copy Standard FD to a Socket FD –Make a shell enable to write the command and read the result on the socket –A console input as a socket input –A console output as a socket output Dup2( oldfd, newfd) –Systemcall to Set a newfd to a oldfd –Systemcall number : 63 –FD: 0 (StdInput), 1(StdOutput), 2(StdErr) 14 How to call the Dup2() eax : 0x3F ; systemcall number 63 ebx : old Socket FD ecx : new FD int 0x80 ; Systemcall interrupt

15 How to Make a Port-binding Shellcode 15 ; “Socket Creation“ ; “socket = socket(AF_INET, SOCK_STRAM, 0)”

16 How to Make a Port-binding Shellcode 16 ; “Binding a port to the created socket“ ; “bind(sock, (struct sockaddr *)&&host_addr, sizeof(struct sockaddr))”

17 How to Make a Port-binding Shellcode 17 ; “Request to the kernel to use the socket for listening the connection“ ; “listen(sock, 4)”

18 How to Make a Port-binding Shellcode 18 ; “Accept and make a connection with a client“ ; “accept(sock, NULL, 0)”

19 How to Make a Port-binding Shellcode 19 ; “dup2“ ; “Set StdInput(0), StdOutput(1), StdErr(2) to the Socket FD”

20 How to Make a Port-binding Shellcode 20 Making a Shellcode Get a machine language by compiling a shellcode Lastly, we’ve got a 92 Bytes of port-binding shellcode

21 Port-binding Shell-code vs Connect-Back Shell-code P P ② Server Port Open and Listen ② Server Port Open and Listen Port-binding Shell-code Attacker Victim ① Port-binding Shell-code Infection ① Port-binding Shell-code Infection ③ Connection from Attacker ④ Shell Open Connect-back Shell-code P P ② Client Port Open and Connect ② Client Port Open and Connect Attacker Victim ① Connect-back Shell-code Infection ① Connect-back Shell-code Infection ③ Connect-back from Shell-code ④ Shell Open

22 Port-binding vs Connect-back Difference in Codes Shell Open execve(“/bin//sh”) File Descriptor Duplication dup2() Connection Establishment accept() Waiting for Connection listen() Port Binding bind() Socket Creation socket() Port-binding Connect-back Different Identical

23 Connect-back Shell-code Pros-and-Cons Pros –Firewall evasion No inbound connection Cons –Pre-defined Connect-back Address Attacker’s IP addresses can be revealed Disable to change server IP addresses –Domain names are utilizable but still risky to the attacker –No time-on-demand shell Attackers must wait the incoming connection

24 Connect-back Shell-code In-a-Nutshell Connecting IP address : 192.168.42.74(attacker’s ip)

25 DEMO 25

26 Thank you! 26

Download ppt "Jieun Song 2014.12.04 Port-Binding & Connect-Back Shellcode."

Similar presentations

Sockets: Network IPC Internet Socket UNIX Domain Socket.

Sockets: Network IPC Internet Socket UNIX Domain Socket.
Networked Graphics Building Networked Virtual Environments and Networked Games Distributed Objects, Exchange of Information, Socket Programming.

Networked Graphics Building Networked Virtual Environments and Networked Games Distributed Objects, Exchange of Information, Socket Programming.
Today’s topic: Basic TCP API –Socket –Bind –Listen –Connect –Accept –Read –Write –Close.

Today’s topic: Basic TCP API –Socket –Bind –Listen –Connect –Accept –Read –Write –Close.
Networks: TCP/IP Socket Calls1 Elementary TCP Sockets Chapter 4 UNIX Network Programming Vol. 1, Second Ed. Stevens.

Networks: TCP/IP Socket Calls1 Elementary TCP Sockets Chapter 4 UNIX Network Programming Vol. 1, Second Ed. Stevens.
Elementary TCP Sockets Chapter 4 UNIX Network Programming Vol. 1, Second Ed. Stevens.

Elementary TCP Sockets Chapter 4 UNIX Network Programming Vol. 1, Second Ed. Stevens.
Quick Overview. 2 ISO/OSI Reference Model Application Application Presentation Presentation Session Session Transport Transport Network Network Data Link.

Quick Overview. 2 ISO/OSI Reference Model Application Application Presentation Presentation Session Session Transport Transport Network Network Data Link.
1 Netcomm 2006 - Recitation 1: Sockets Communication Networks Recitation 1.

1 Netcomm Recitation 1: Sockets Communication Networks Recitation 1.
1 Netcomm 2005 - Sockets Communication Networks Recitation 1.

1 Netcomm Sockets Communication Networks Recitation 1.
Windows Sockets Purpose Windows Sockets 2 (Winsock) enables programmers to create advanced internet, intranet, and other network-capable applications to.

Windows Sockets Purpose Windows Sockets 2 (Winsock) enables programmers to create advanced internet, intranet, and other network-capable applications to.
1 Socket Interfaces Professor Jinhua Guo CIS527 Fall 2003.

1 Socket Interfaces Professor Jinhua Guo CIS527 Fall 2003.
Tutorial 8 Socket Programming

Tutorial 8 Socket Programming
UDP: User Datagram Protocol. UDP: User Datagram Protocol [RFC 768] r “bare bones”, “best effort” transport protocol r connectionless: m no handshaking.

UDP: User Datagram Protocol. UDP: User Datagram Protocol [RFC 768] r “bare bones”, “best effort” transport protocol r connectionless: m no handshaking.
CS 311 – Lecture 18 Outline IPC via Sockets – Server side socket() bind() accept() listen() – Client side connect() Lecture 181CS 311 - Operating Systems.

CS 311 – Lecture 18 Outline IPC via Sockets – Server side socket() bind() accept() listen() – Client side connect() Lecture 181CS Operating Systems.
Socket Addresses. Domains Internet domains –familiar with these Unix domains –for processes communicating on the same hosts –not sure of widespread use.

Socket Addresses. Domains Internet domains –familiar with these Unix domains –for processes communicating on the same hosts –not sure of widespread use.
ISP – 9 th Recitation Socket programming – Client side.

ISP – 9 th Recitation Socket programming – Client side.
UNIX Sockets COS 461 Precept 1. Clients and Servers Client program – Running on end host – Requests service – E.g., Web browser Server program – Running.

UNIX Sockets COS 461 Precept 1. Clients and Servers Client program – Running on end host – Requests service – E.g., Web browser Server program – Running.
1 Tutorial on Socket Programming Computer Networks - CSC 458 Department of Computer Science Yukun Zhu (Slides are mainly from Monia Ghobadi, and Amin Tootoonchian,

1 Tutorial on Socket Programming Computer Networks - CSC 458 Department of Computer Science Yukun Zhu (Slides are mainly from Monia Ghobadi, and Amin Tootoonchian,
Basic Socket Programming TCP/IP overview. TCP interface Reference: –UNIX Network Programming, by Richard Stevens. –UNIX man page.

Basic Socket Programming TCP/IP overview. TCP interface Reference: –UNIX Network Programming, by Richard Stevens. –UNIX man page.
Socket Programming Based on tutorial prepared by EUISOK CHUNG CS3320 Spring2008.

Socket Programming Based on tutorial prepared by EUISOK CHUNG CS3320 Spring2008.
TCP Socket Programming. r An abstract interface provided to the application programmer  File descriptor, allows apps to read/write to the network r Allows.

TCP Socket Programming. r An abstract interface provided to the application programmer  File descriptor, allows apps to read/write to the network r Allows.

Similar presentations

Ads by Google