0.0.0:48059 0.0.0.0:* LISTEN
21326/port_bind_sc
CAUTION When testing this program and the others in this chapter, if you
run them repeatedly, you may get a state of TIME WAIT or FIN WAIT. You
will need to wait for internal kernel TCP timers to expire, or simply change
the port to another one if you are impatient.
Finally, switch to a normal user and connect:
# su joeuser
$ nc localhost 48059
id
uid=0(root) gid=0(root) groups=0(root)
exit
$
Success!
References
Smiler, ???Writing Shellcode??? http://community.corest.com/~juliano/art-shellcode.txt
Zillion, ???Writing Shellcode??? www.safemode.org/files/zillion/shellcode/doc/Writing_
shellcode.html
Sean Walton, Linux Socket Programming (Indianapolis: SAMS Publishing, 2001)
Implementing Reverse Connecting Shellcode
The last section was nice, but what if the vulnerable system sits behind a firewall and the
attacker cannot connect to the exploited system on a new port? As discussed in the previous
chapter, attackers will then use another technique: have the exploited system connect
back to the attacker on a particular IP and port. This is referred to as a reverse
connecting shell.
Reverse Connecting C Program
The good news is that we only need to change a few things from our previous port binding
code:
1.
Pages:
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434