SLAE Assignment 5: Analysis of Metasploit shellcodes

msf > get_shellcode_analysis

Hint: Its easier to read code on github ! 

Hello again !

Today we are going to dissect three different shellcodes generated with metasploit. Cool right ? It might allow us to diversify our opcodes knowledge and find new pattern and tricks in assembly ... Go go go !

Standard exec shellcode with CMD= 

First, we start with a simple yet well known payload, linux/x86/exec. Generate it with msfvenom -p linux/86/exec -f raw CMD="echo SLAEisrad" > msfcmd.raw

Then you can disassemble it with ndisasm -u msfcmd.raw.

I will provide analysis directly inside the disassembly. If you want to run it or analyse it dynamically you can export it to elf format with -f elf and run it with gdb or libemu.

Meet the infamous shikata_ga_nai !

As I am willing to understand polymorphic virus and encoders, I take this exercise as an opportunity to analyse shikata_ga_nai. We will generate the exact same shellcode as previously but this time encoded with the famous encoder.

Generate it (using only one round) with :

msfvenom -p linux/86/exec -c 1 -e shikata_ga_nai -f raw CMD="echo SLAEisrad" > shikatamsfcmd.raw

Now lets see what is this encoder doing... As a sidenote you can have a better "view" in disassembly using libemu compared to gdb.




Alright. Job done. Shikata_ga_nai is encoding the shellcode with a XOR with random key using different instructions but which create the same decoding in the end.

Moar syscalls, *roaR*

We need to progress in linux/x86 so lets check another msf shellcode with more syscalls and analyze it.



"Awesome !!!" the SLAE teacher really loves to use that word in the videos, so it is becoming my new shoutout :]

And that's all folks ! Thanks for reading.



This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

SLAE - xxx