Transcript 3. Nondeterminism - Korea University

Port-Binding & Connect-Back Shellcode
Jieun Song
2014.12.04
Port Binding and Connect-back Shellcode
• Limitation of the Local Shellcodes
– When exploiting a remote program, the local shell-code cannot
open the shell to the attacker on a remote place
– The injected shellcode needs to communicate over the network
to deliver an interactive root prompt
• Port-binding Shellcode and Connect-back Shellcode
– The shellcodes work as a network server / a network client
– An attacker can use a shell at a remote place through a network
connection
2
Contents
Basic of Socket Programming and Network Connection
• Server side
• For better understanding of Port-binding Shellcode
• Client side
• For better understanding of Connect-back Shellcode
Socket Programming in Assembly
How to make a Port-binding Shellcode
Difference between Port-binding and Connect-back
How to make a Connect-back Shellcode
Demonstration
3
Socket Programming
• A.k.a Network Programming
– Making a program which has network communication capability
• Socket
– An interface, a data structure, and a descriptor
– Commonly used at both of server and client side
• End-to-end Interface
– Working on the transportation level (L4)
4
Socket Communication Mechanism
• Brief Work Flow of Socket Programming
5
Server Side Socket Programming (1/6)
•
Socket Creation: ‘socket()’
-
-
Socket constructor for a server or a client
Parameters
-
af : Address Family
- AF_INET : IPv4
- AF_INET6 : IPv6
- AF_UNSPEC : Unspecified
- type : Socket Type
-
- SOCK_STREAM : TCP Stream
- SOCK_DGRAM : UDP Datagram
protocol : ICMP, IGMP, TCP, UDP, and etc.
6
Server Side Socket Programming (2/6)
• Binding a Socket to a Port : ‘bind()’
- Parameters
- s : a socket created by socket()
- name : a pointer of socket address structure (sockaddr)
- namelen : length of the socketaddr structure
- Return
- Error code
7
Server Side Socket Programming (3/6)
• Socket Address Structure : ‘sockaddr’ & ‘sockaddr_in’
• Sockaddr : General address structure
– sa_family : Socket address family
– sa_data[14] : Addresses data in various formats
• sockaddr_in : Only for IPv4 Addresses
– sin_family : Should be AF_INET (IPv4 Address family)
– sin_port : TCP/UDP Port number
– sin_addr : 32 bits IPv4 address
8
Server Side Socket Programming (4/6)
• Open Listen Port : ‘listen()’
– Now this socket and the bound port work as a server
• Parameters
– s : a Socket used for listen the incoming connections
– backlog : the maximum queue size for connection requests
• Return
– Error code
9
Server Side Socket Programming (5/6)
• Accept an Incoming Connection: ‘accept()’
– ‘Accept’ makes a communication socket newly with a new port
– The ‘listen’ socket and port are not the communication socket
• Parameters
– s : Listen socket (Input)
– addr : Address of the accepted client (Output)
– addrlen : Length of available(Input), and returned (Output)
address structure
• Return
– Communication socket
10
Server Side Socket Programming (6/6)
• Data Communication : ‘read()’ and ‘write()’
– send() and receive() in some system calls
• Disconnection : ‘shutdown()’ and ‘close()’
– shutdown send the disconnection message to the other side
• It declares that the socket will not send/receive the data anymore
• Shutdowned socket waits to the ‘FIN_ACK’ from the other side
– Close blocks the every functionality and resources of the socket
• Close without clear shutdown makes ‘dirty closed’ sockets
11
Client Side Socket Programming
• Socket Creation, Communication, and Disconnection
– Identical to the server side socket
• Connection : ‘connect()’
• Parameters
- s : Socket for communication
- name : Pointer of the server address structure
- namelen : Length of the server address structure
12
Socket Programming in Assembly (1/2)
•
These socket functions can all be accessed with a single Linux
system call, aptly named socketcall()
-
•
Syscall number : 102
•
Socket(), bind(), listen(), and accept()
can be called with syscall 102
•
Syscall 102 with ebx
• ebx = 1(Constructor)
• ebx = 2(SYS_BIND)
• ebx = 3(SYS_CONNECT)
• ebx = 4(SYS_LISTEN)
• ebx = 5(SYS_ACCEPT)
How to use a system call
- mov BYTE al, 0x66 ; System call number in eax, 0x66 = 102
- mov ebx 0x01 ; Function code for Constructor 0x01 in ebx
- … push parameters in the stack …
- int 0x80 ; System call interrupt 0x80
13
Socket Programming in Assembly (2/2)
•
How to send a command and get result
of a shell through a socket?
–
•
Copy Standard FD to a Socket FD
–
–
–
•
Make a shell enable to write the command
and read the result on the socket
A console input as a socket input
A console output as a socket output
Dup2( oldfd, newfd)
–
–
–
•
A socket is also a File Descriptor(FD)
Systemcall to Set a newfd to a oldfd
Systemcall number : 63
FD: 0 (StdInput), 1(StdOutput), 2(StdErr)
How to call the Dup2()
• eax : 0x3F ; systemcall number 63
• ebx : old Socket FD
• ecx : new FD
• int 0x80 ; Systemcall interrupt
14
How to Make a Port-binding Shellcode
; “Socket Creation“
; “socket = socket(AF_INET, SOCK_STRAM, 0)”
15
How to Make a Port-binding Shellcode
; “Binding a port to the created socket“
; “bind(sock, (struct sockaddr *)&&host_addr, sizeof(struct sockaddr))”
16
How to Make a Port-binding Shellcode
; “Request to the kernel to use the socket for listening the connection“
; “listen(sock, 4)”
17
How to Make a Port-binding Shellcode
; “Accept and make a connection with a client“
; “accept(sock, NULL, 0)”
18
How to Make a Port-binding Shellcode
; “dup2“
; “Set StdInput(0), StdOutput(1), StdErr(2) to the Socket FD”
19
How to Make a Port-binding Shellcode
• Making a Shellcode
• Get a machine language by compiling a shellcode
• Lastly, we’ve got a 92 Bytes of port-binding shellcode
20
Port-binding Shell-code
vs Connect-Back Shell-code
Port-binding Shell-code
③ Connection from Attacker
Attacker
④ Shell Open
① Connect-back
Shell-code
Infection
② Client Port
Open and Connect
③ Connect-back from Shell-code
Attacker
P
Victim
④ Shell Open
Connect-back Shell-code
① Port-binding
Shell-code
Infection
② Server Port
Open and Listen
P
Victim
Port-binding vs Connect-back
Difference in Codes
Port-binding
Socket Creation
socket()
Port Binding
bind()
Waiting for Connection
listen()
Connection
Establishment
accept()
File Descriptor
Duplication
dup2()
Shell Open
execve(“/bin//sh”)
Connect-back
Connect-back Shell-code
Pros-and-Cons
• Pros
– Firewall evasion
• No inbound connection
• Cons
– Pre-defined Connect-back Address
• Attacker’s IP addresses can be revealed
• Disable to change server IP addresses
– Domain names are utilizable but still risky to the attacker
– No time-on-demand shell
• Attackers must wait the incoming connection
Connect-back Shell-code
In-a-Nutshell
•
Connecting IP address : 192.168.42.74(attacker’s ip)
• DEMO
25
Thank you!
26