Find Socket Shellcode
The last of the three common techniques for establishing a shell over a network connection
involves attempting to reuse the same network connection over which the original
attack takes place. This method takes advantage of the fact that if we can exploit a remote
service, then we have been allowed to connect to that service; so why not make use of the
established connection in order to communicate after the exploit is complete? This situation
is shown in Figure 9-5.
If this can be accomplished, we have the additional benefit that no new, potentially
suspicious, network connections will be visible on the target computer, making our
exploit at least somewhat more difficult to observe.
The steps required to begin communicating over the existing socket involve locating
the open file descriptor that represents our network connection on the target computer.
Because the value of this file descriptor may not be known in advance, our shellcode
must take action to find the open socket somehow (hence the term find socket). Once
found, our shellcode must duplicate the socket descriptor as discussed previously in
order to cause a spawned shell to communicate over that socket. The most common
Gray Hat Hacking: The Ethical Hacker??™s Handbook
200
Figure 9-4
Firewall
configuration that
prevents reverse
connecting
shellcode
Figure 9-5
Network
conditions suited
for find socket
shellcode
technique used in shellcode for locating the proper socket descriptor is to enumerate all
of the possible file descriptors (usually file descriptors 0 through 255) in the vulnerable
application, and to query each descriptor to see if it is remotely connected to the
attacker??™s computer.
Pages:
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390