In this blog post I will analyze 3 shellcodes created using msfvenom
Shellcode 1: linux/x86/adduser shellcode
Command Used : msfvenom --platform linux --arch x86 --payload linux/x86/adduser USER=slae PASS=slaeslae -i0 -fc
Shellcode 2: linux/x86/chmod shellcode
Command Used : msfvenom --platform linux --arch x86 --payload linux/x86/chmod FILE=/etc/shadow MODE=0666 -i0 -fc
stepcount 12
[emu 0x0x88f3078 debug ] cpu state eip=0x00417026
[emu 0x0x88f3078 debug ] eax=0x00000000 ecx=0x000001b6 edx=0x00000000 ebx=0x0041700a
[emu 0x0x88f3078 debug ] esp=0x00416fca ebp=0x00000000 esi=0x00000000 edi=0x00000000
[emu 0x0x88f3078 debug ] Flags:
ERROR chmod (
) = -1;
ERROR exit (
int status = 4288522;
) = -1;
Shellcode 3: linux/x86/exec
Command Used : msfvenom --platform linux --arch x86 --payload linux/x86/exec CMD=ls -i0 -fc
While performing this shellcode analysis I noticed something interesting like 22 and line 23 opcodes were not correctly detected by the disassembler. 6C 73 should have been interpreted as data instead of instruction. It is the hex representation of ascii "ls". However the best part is libemu correctly identified it and was able to generate an equivalent code for it.
stepcount 15
[emu 0x0x975d078 debug ] cpu state eip=0x00417028
[emu 0x0x975d078 debug ] eax=0x0000000b ecx=0x00416fb0 edx=0x00000000 ebx=0x00416fc0
[emu 0x0x975d078 debug ] esp=0x00416fb0 ebp=0x00000000 esi=0x00000000 edi=0x00416fc8
[emu 0x0x975d078 debug ] Flags:
int execve (
const char * dateiname = 0x00416fc0 =>
= "/bin/sh";
const char * argv[] = [
= 0x00416fb0 =>
= 0x00416fc0 =>
= "/bin/sh";
= 0x00416fb4 =>
= 0x00416fc8 =>
= "-c";
= 0x00416fb8 =>
= 0x0041701d =>
= "ls";
= 0x00000000 =>
none;
];
const char * envp[] = 0x00000000 =>
none;
) = 0;
This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification: http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: PA-1191
Shellcode 1: linux/x86/adduser shellcode
Command Used : msfvenom --platform linux --arch x86 --payload linux/x86/adduser USER=slae PASS=slaeslae -i0 -fc
Static Analysis
Our first analysis is with ndisam tool, where we tried to recreate the equivalent instruction from the raw hex string.
Dynamic Analysis
r2 disassembly
r2 disassembly
Libemu was not able to do much for this shellcode. Neither it could generate any equivalent code for the shellcode nor any call graph for it.
Command Used : msfvenom --platform linux --arch x86 --payload linux/x86/chmod FILE=/etc/shadow MODE=0666 -i0 -fc
Static Analysis
Our first analysis is with ndisam tool, where we tried to recreate the equivalent instruction from the raw hex string.
Dynamic Analysis
r2 disassembly
r2 disassembly
Call Graph generated by libemu emulation
[emu 0x0x88f3078 debug ] cpu state eip=0x00417026
[emu 0x0x88f3078 debug ] eax=0x00000000 ecx=0x000001b6 edx=0x00000000 ebx=0x0041700a
[emu 0x0x88f3078 debug ] esp=0x00416fca ebp=0x00000000 esi=0x00000000 edi=0x00000000
[emu 0x0x88f3078 debug ] Flags:
ERROR chmod (
) = -1;
ERROR exit (
int status = 4288522;
) = -1;
Shellcode 3: linux/x86/exec
Command Used : msfvenom --platform linux --arch x86 --payload linux/x86/exec CMD=ls -i0 -fc
While performing this shellcode analysis I noticed something interesting like 22 and line 23 opcodes were not correctly detected by the disassembler. 6C 73 should have been interpreted as data instead of instruction. It is the hex representation of ascii "ls". However the best part is libemu correctly identified it and was able to generate an equivalent code for it.
Static Analysis
Our first analysis is with ndisam tool, where we tried to recreate the equivalent instruction from the raw hex string.
Dynamic Analysis
r2 disassembly
r2 disassembly
Call Graph generated by libemu emulation
stepcount 15
[emu 0x0x975d078 debug ] cpu state eip=0x00417028
[emu 0x0x975d078 debug ] eax=0x0000000b ecx=0x00416fb0 edx=0x00000000 ebx=0x00416fc0
[emu 0x0x975d078 debug ] esp=0x00416fb0 ebp=0x00000000 esi=0x00000000 edi=0x00416fc8
[emu 0x0x975d078 debug ] Flags:
int execve (
const char * dateiname = 0x00416fc0 =>
= "/bin/sh";
const char * argv[] = [
= 0x00416fb0 =>
= 0x00416fc0 =>
= "/bin/sh";
= 0x00416fb4 =>
= 0x00416fc8 =>
= "-c";
= 0x00416fb8 =>
= 0x0041701d =>
= "ls";
= 0x00000000 =>
none;
];
const char * envp[] = 0x00000000 =>
none;
) = 0;
This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification: http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: PA-1191