SLAE64: Assignment 1 – Bind TCP Shell with password

I’ve been taking the SecurityTube Linux Assembly Expert certification, this is the first assignment, the creation, in assembly, of a password protected bind shell.

A bind shell is essentially an open port on a machine that has STDIN, STDOUT and STDERR redirected to an inbound socket. It gets the name from the bind() system call which is a necessary step for listening on a port.

As I’m still not very comfortable with Assembly I got my inspiration from the C program below.

With the above program under my belt, all I had to do was to translate it into Assembly.

For the password protected part of the exercise the first bytes sent by the client through the socket must match the ascii string ‘7698’, this translates into a simple CMP operation between the value read on the socket and 0x39383637.

You might notice right away that there are a couple of weird approaches to the code, particularly the short number of ‘mov’ operations.

Instead of mov’ing one can simply apply a push/pop sequence that will deliver the same result but, apparently due to an opcode auto promotion from 32-bit to 64-bit, will result in a much smaller footprint.

I’ve taken this approach as means to reduce the shellcode size, inspired by the awesome posts by zerosum0x0.

All code is available from my Github repo.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification.

Student ID: SLAE64-1440

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.