This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification:
https://www.pentesteracademy.com/course?id=7
Student-ID: PA-15847
The Objectives for the Assignment:
create a shell_reverse_tcp shellcode
:
reverse connects to configured IP and port
needs a passcode
if passcode is correct, then execs shell
remove 0x00 from bind tcp shellcode
So I took the code written during the course as a base and developed the remaining parts as below:
I use the following syscalls in the same order:
syscall socket
syscall connect
syscall read
syscall dup2
syscall execve
syscall close
First we start with opening a socket with the following syntax:
int socket(int domain, int type, int protocol);
![](https://areyou1or0.it/wp-content/uploads/2021/10/Screenshot-2021-10-06-at-13.03.26.png)
Then we will make the socket connect to the server with the following syntax:
int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
![](https://areyou1or0.it/wp-content/uploads/2021/10/Screenshot-2021-10-06-at-13.03.33-1024x417.png)
Here we’ll read the password string and compare it with the real password for a match. If the result is wrong, it will go to end (defined at the end)
![](https://areyou1or0.it/wp-content/uploads/2021/10/Screenshot-2021-10-06-at-13.03.38-1024x480.png)
Then we have dup2 again for redirecting the socket
![](https://areyou1or0.it/wp-content/uploads/2021/10/Screenshot-2021-10-06-at-13.03.43.png)
And of course we execute /bin/sh with execve syscall
![](https://areyou1or0.it/wp-content/uploads/2021/10/Screenshot-2021-10-06-at-13.03.49.png)
We define the end call here as it’s called in read syscall section before and exit the program
![](https://areyou1or0.it/wp-content/uploads/2021/10/Screenshot-2021-10-06-at-13.03.53.png)
We get a reverse shell at the end:
![](https://areyou1or0.it/wp-content/uploads/2021/10/assignment2-1024x835.png)