In cases such as these, we need to find another means of
accessing a shell on the target computer. One solution to this problem is to use port binding
shellcode, often referred to as a ???bind shell.??? Once running on the target, the steps our
shellcode must take to create a bind shell on the target are as follows:
1. Create a tcp socket.
2. Bind the socket to an attacker-specified port. The port number is typically hardcoded
into the shellcode.
3. Make the socket a listening socket.
4. Accept a new connection.
5. Duplicate the newly accepted socket onto stdin, stdout, and stderr.
6. Spawn a new command shell process (which will receive/send its input and
output over the new socket).
Chapter 9: Shellcode Strategies
197
PART III
Step 4 requires the attacker to reconnect to the target computer in order to get
attached to the command shell. To make this second connection, attackers often use a
tool such as Netcat, which passes their keystrokes to the remote shell and receives any
output generated by the remote shell. While this may seem like a relatively straightforward
process, there are a number of things to take into consideration when attempting
to use port binding shellcode. First, the network environment of the target must be such
that the initial attack is allowed to reach the vulnerable service on the target computer.
Pages:
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386