SLAE64: Assignment 5 – Metasploit payloads analysis #1

For the 5th assignment of the SecurityTube Linux Assembly Expert certification, I needed to analyze some metasploit payloads for Linux x64.

I started by looking at the linux/x64/shell_reverse_tcp.

Instead of using msfpayload, as suggested in the course materials, I’ve used msfvenom, as msfpayload is not installed in my Kali box.

The generated payload is 74 bytes which is much smaller than what I was able to achieve in Assignment #2, but in that assignment I also had a password protection.

For some reason it was impossible to use objdump to get the disassembly of the generated ELF, complaining about corrupted ELF section headers. Still, I ran GDB and here’s the disassembled code:

This first section sets up a socket for the connection through the socket() syscall (0x29 or 41  from unistd_64.h). They have employed the same PUSH/POP vs MOV strategy for shellcode size reduction. Additional differences from my own implementation are the smart use of CDQ to null RDX instead of using XOR like I did. Also the use of XCHG instead of MOV is very smart for lowering the shellcode size.

The next section is the establishment of the actual connection through the connect() system call (0x2a or 42 from unistd_64.h). It was interesting to see them fill the whole sockaddr structure in a single instruction, although this causes the appearance of null bytes in the code.

Although I have not tested, I believe the code could be further optimized at 0x400091 by using a PUSH/POP combo instead of the MOV.

This section is exactly like my own implementation, it’s the loop for calling the dup2() system call to redirect STDIN, STDOUT and STDERR to the connection socket.

Previous comments also apply to the last section where execve() system call is used to run ‘/bin/sh/’. Interesting use of CDQ to null RDX, smart choice of populating RBX in a single MOV instruction although it comes with a null byte and possible size optimizations at 0x4000b8 and 0x4000bd if a PUSH/POP combo is used instead of the MOV.

Overall I feel proud that the published metasploit reverse tcp shell implementation is essentially very similar to mine.


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification.

Student ID: SLAE64-1440

Leave a Reply

Your email address will not be published. Required fields are marked *