Since I had created a reverse tcp shellcode for assignment 2 of the SLAE
I decided that it would be interesting to look at msfvenom’s version and
to see how it differed from mine. To do so I did the following:
Generate a linux/x86/shell_reverse_tcp shellcode using:
It defaults to LPORT=4444 so there is no need to set it.
Next, I ran the shellcode using Libemu and generated a .dot file:
I then converted the dot file to a png using:
Which gives us:
Cool. Looking at the purple boxes we see that the system calls that are
being used are:
socket
dup2
connect
execve
Those were the same socket calls that were used in the reverse shell
for assignment 2. Lets analyze things at the assembly level:
MSFVenom Socket:
All in all this MSFvenom shellcode looks very similar to the one I had created
in assignment 2. There are some slight differences like using mul to clear
out eax as opposed to just using xor. One cool trick the MSFvenom version
was doing was using a push dword with the port and sin_family in 1 operation.
push dword 0x5c110002 instead of what I had in my version:
push word 0x5c11 ; sin_port=4444 (network byte order)
push word bx ; sin_family=AF_INET (0x2)
If we look at the objdump of a little nasm program to compare the instructions
we see:
Using 2 xor operations yields the same number of bytes/opcodes as using an xor and a mul instruction
Using a single dword push instruction instead of 2 push word instructions yields 1 less byte/opcode but it does introduce a null byte.
It was really interesting to see what MSFvenom generated shellcode looks like.
Doing this exercise has taken a bit of the mystique of MSFVenom away and I look
forward to analyzing more shellcode from it to see what else I can learn.