Metasploit Linux x86 Payloads Analysis
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Student ID: SLAE-975
Assignment number: #5
Github repository: https://github.com/amonsec/SLAE/tree/master/assignment-5
This post is part of my SLAE series.
You can find the previous post at this address: https://amonsec.net/training/linux-assembly-x86/2018/custom-shellcode-encoder-decoder-with-intel-x86
This post will be slightly different from other ones because here, we will analyze shellcodes instead of writing them. It’s a really good exercise to learn how to use debuggers and disassemblers since that will drastically help you to understund what is going on in computer low level layers.
In order to cover multiples tools I will use three different tools:
- Linux distribution, in my case Ubuntu 10.04 LTS (x86);
- GDB installed;
- Libemu installed;
- Ndisasm installed;
- Metasploit-framework (or download shellcode from my github repository) and
- I have ever talked about coffee?
Note, we will use different pre-written payload from the very well known pentest framework called Metasploit. This is the Holy Bible for exploits due to is huge popularity in the cyber security field. For more information about Metasploit I highly recommend you to read this awesome guide from Offensive Security called Metasploit Unleashed (MSFU) or to go to the official website of Rapid7. Msfvenom is a component of the Metasploit-framework used for payloads generation.
If you want to install Metasploit-framework in your Linux system, you have multiples tutorials available:
Analyse with GDB (GNU debugger)
GDB is a portable debugger software that’s allow to analyze what is happening during program execution. GDB have mutiples good features and utilities, such as:
- pause the program execution and analyze state of program, check values of variables and registers;
- change values of variables/registers and
- multiples supported languages: C, C++, To, Objective-C, Fortran, Java, OpenCL C, Pascal, assembly, Modula-2 Ada languages.
For our first analyse, I have chosen to analyse the linux/x86/exec payload that execute the given command. Let’s take a look at the requirements.
We generate the payload:
For people who never used msfvenom before, let me explain you bit what all this argument do:
- –platfrom, used to specify the target platform;
- -p, used to specify the payload that we want to use;
- CMD=’cat /secret.txt’, the command that we want to execute;
- -f, the output language format (C, python, powershell, ruby and much more);
- -v, used to specify the name of the variable used to store the shellcode;
- –arch, the target architecture (x86 or x86_64);
- -i, the number of iteration (for encoders) and
- -o, used to specify the file where msfvenom will store the output.
We can create a basic C program to execute our payload:
Let’s compile this program, attach the program to GDB, set the assembly language to Intel and finally we set a breakpoint at the beginning of our shellcode.
We disassemble the payload in order to get the assembly code.
First, the payload set the syscall that will be used, here it’s, without any surprise, execve.
Just after that, the payload start to build a string that represent the command that will be executed later.
To found this information we can use the following commands with GDB. First we set a breakpoint at the call instruction, then we continue the execution of the program until we hit a breakpoint and finally we can take a look at the EBX and EDI registers.
The call instruction is executed, so, the next offset after the call instruction is pushed into the stack and the program jump to the given offset.
Finally everything is pushed into the stack, and the payload execute the execve syscall.
Successfully executed, we can read the content of the /secret.txt file.
Of course we can execute our C program without gdb:
Analise with Libemu
Libemu is a x86 emulator that allow access to both memory and registers. With this awesome tool, we will be able to dissect another Metasploit payload.
This time we will analyse the shell_bind_ipv6_tcp payload.
Now we generate this payload with msfvenom and we redirect the output to the sctest program from Libemu.
In our case the -vv flag is used for the verbosity of the output, we can increase it or decrease it as we want. The -S is used to say to sctest to read the shellcode from stdin and finally the -s flag is used to specify the maximum step that we want to run.
The awesome thing with this tools, is that you have the complete structure of the payload, so, it’s easy to following what it does:
- int socket, create a socket;
- int bind, bind the created socket;
- int listen, listen for an incoming connection;
- int accept, accept the incoming connection;
- int dup2, duplicate files descriptors in order to forward stdin, stdout and stderr;
- finally, int execve, execute /bin/sh
And, more interestingly, with the -G flag we can create a dot formatted callgraph.
Finally, we have this kind of callgraph who represent the execution of our payload:
Note, pylibemu is a Python library that allows to do the same stuff with Python scripts. That can be interesting for automatizing purposes.
Github repository: https://github.com/buffer/pylibemu
Analise with Ndiasm
Ndisasm is a binary disassembler, a really useful tool when you have a binary and you want to learn what he is doing. This time we will take a look at the linux/x86/chmod Metasploit payload.
We can generate our payload and redirect the output (in raw format) to ndisasm in order to get the assembly code.
So, we disassembled the binary (created with msfvenom) with ndisasm and now we can begin the code analyse. First, the payload initialise registers and set the value of the EAX register to 15, the chmod syscall id.
Then the payload jump to the pop ebx instruction that will push the targeted file name into the EBX register.
Finally, the given mode is push into the stack and stored into the ECX register then the payload execute the chmod syscall and exit the program.
We can generate your binary directly with msfvenom instead of using a C program.
And as expected, the payload change the accessibility of the file.
In this blog post we saw three tools, but you can find and learn other much advanced debugger/disassembler for Linux, such as:
This post is focused on the Linux, but if you searching for Windows debuggers/disassemblers, you can use: