In many cases firewalls are less restrictive regarding outgoing traffic.
Reverse shellcode, also known as ???callback shellcode,??? recognizes this fact by reversing
the direction in which the second connection is made. Instead of binding to a specific
port on the target computer, reverse shellcode initiates a new connection to a specified
port on an attacker-controlled computer. Following a successful connection, it duplicates
the newly connected socket to stdin, stdout, and stderr before spawning a new
command shell process on the target machine. These steps are
1. Create a tcp socket.
2. Configure the socket to connect to an attacker-specified port and IP address.
The port number and IP address are typically hard-coded into the attacker??™s
shellcode.
3. Connect to the specified port and IP address.
4. Duplicate the newly connected socket onto stdin, stdout, and stderr.
5. Spawn a new command shell process (which will receive/send its input/output
over the new socket).
Figure 9-3 shows the behavior of reverse connecting shellcode.
For a reverse shell to work, the attacker must be listening on the specified port and IP
address prior to step 3. Netcat is often used to set up such a listener and to act as a terminal
once the reverse connection has been established.
Pages:
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388