Student-ID: PA-15847<\/strong><\/p>\n\n\n\n The Objectives for the Assignment:<\/p>\n\n\n\n So I took the code written during the course as a base and developed the remaining parts as below:<\/p>\n\n\n\n I use the following syscalls in the same order:<\/p>\n\n\n\n It’s important to understand the arguments for each syscall and how do we write it in assembly as it’s been taught during the course. <\/p>\n\n\n\n Here’re the assembly code that I wrote per syscall. I also explained some of the lines with a comment in case it’s unclear:<\/p>\n\n\n\n First we open a socket (syscall number:41) with the following syntax<\/p>\n\n\n\n We’ll have the following values for the arguments:<\/p>\n\n\n\n Then we’ll use bind syscall to bind the shell to an IP and port with the following syntax<\/p>\n\n\n\n We’ll use the following values:<\/p>\n\n\n\n Then we’ll use listen syscall to listen for incoming connections with the following syntax:<\/p>\n\n\n\n Next, we’ll use accept syscall for incoming connections with the following syntax:<\/p>\n\n\n\n Redirection to the socket will be handled with dup2 syscall. <\/p>\n\n\n\n Now it’s time to ask for the password. We’ll first read the string using read syscall and then compare its accuracy. It will re ask for the password if the response is incorrect. Here’s the syntax used for read syscall:<\/p>\n\n\n\n We’ll execute \/bin\/sh with execve syscall here:<\/p>\n\n\n\n We’ll close the socket and exit the program at the end. <\/p>\n\n\n\n Then we compiled and linked the files and run the executable to get a bind shell:<\/p>\n\n\n\n This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https:\/\/www.pentesteracademy.com\/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: create a shell_bind_tcp shellcode binds to a port needs a passcode if passcode is correct, then execs shell remove 0x00 from bind tcp shellcode So I took the code… Continue reading SLAE64: Assignment 1 – Bind Shell<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/97"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=97"}],"version-history":[{"count":4,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/97\/revisions"}],"predecessor-version":[{"id":159,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/97\/revisions\/159"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=97"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=97"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=97"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}create a shell_bind_tcp shellcode<\/strong><\/code><\/p>\n\n\n\nbinds to a port<\/strong><\/code><\/li>needs a passcode<\/strong><\/code><\/li>if passcode is correct, then execs shell<\/strong><\/code><\/li>remove 0x00 from bind tcp shellcode<\/code><\/strong><\/li><\/ul>\n\n\n\nsyscall: socket --> open a socket
syscall bind --> binding the shell to IP and port
syscalls.listen --> listen for incoming connections
syscalls.accept --> accept incoming connections
syscalls.dup2
syscall.read --> to read the password
syscalls.execve
syscalls.close<\/strong><\/code><\/p>\n\n\n\nint socket(int<\/strong> domain<\/em>, int<\/strong> type<\/em>, int<\/strong> protocol<\/em>);<\/strong><\/code><\/p>\n\n\n\n$ python<\/strong><\/code><\/p>\n\n\n\n>>> import socket
>>> socket.AF_INET
2
>>> socket.SOCK_STREAM
1
>>> socket.INADDR_ANY
0<\/strong><\/code><\/p>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-06-at-12.34.20.png\")
int bind(int<\/strong> sockfd<\/em>, const struct sockaddr<\/strong> addr<\/em>,<\/strong> socklen_t<\/strong> addrlen<\/em>);<\/strong><\/code><\/p>\n\n\n\n0.0.0.0 (IP), 4444 (port) and 2 (address family AF_INET)<\/strong><\/code><\/p>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-06-at-12.34.45-1024x387.png\")
int listen(int<\/strong> sockfd<\/em>, int<\/strong> backlog<\/em>);<\/strong><\/code><\/p>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-06-at-12.34.51.png\")
int accept(int<\/strong> sockfd, struct<\/strong> sockaddr addr<\/em>, socklen_t<\/strong> addrlen<\/em>);<\/strong><\/code><\/p>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-06-at-12.35.01-1024x293.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-06-at-12.35.07-1024x678.png\")
ssize_t read(int fd, void *buf, size_t count);<\/strong><\/code><\/p>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-06-at-12.35.13-1024x505.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-06-at-12.35.18.png\")
![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-06-at-12.35.24.png\")
nasm -felf64 assignment1.nasm -o assignment1.o<\/strong><\/code><\/p>\n\n\n\nld assignment1.o -o assignment1<\/strong><\/code><\/p>\n\n\n\n.\/assignment1<\/strong><\/code><\/p>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/assignment1-1024x568.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"