Analysis of Metasploit linux/x86/shell_find_port shellcode

This post analyses innards of linux/x86/shell_find_port shellcode. This shellcode spawns a shell on an established connection. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/shell_find_port payload has one option. We will keep CPORT set to default value 40746 Insert generated shellcode into testing C wrapper Shellcode analysis Using libemu sctest gives infinite loop strace output …

Analysis of Metasploit linux/x86/read_file shellcode

This post analyses innards of linux/x86/read_file shellcode. This shellcode reads from the local file system and writes it back out to the specified file descriptor. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/read_file payload has two options. We will keep FD set to 1 (STDOUT) and set path to /etc/passwd. At first glance the …

Encoding with PUNPCKLBW instruction

In this blog post I will describe how to encode/decode arbitrary byte sequence with PUNPCKLBW instruction from MMX instruction set. PUNPCKLBW instruction Arcane denotation PUNPCKLBW stands for Pack/Unpack/Lower/Byte/Word. This instruction is used to combine two data elements into one. See following picture PUNPCKLBW unpacks and interleaves the low-order data elements of the destination operand and source operand into the destination …

Creating TCP reverse shell shellcode

This blog post describes manual creating of TCP reverse shellcode on Intel 32-bit architecture and Linux platform. If you have already read previous blog post how to create bind shell you will find this post very easy to follow as the progress is almost the same. We will start with following C code. Difference between bind and reverse shell mechanism …