{"id":1513,"date":"2018-12-18T02:00:19","date_gmt":"2018-12-18T02:00:19","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1513"},"modified":"2018-12-18T02:00:19","modified_gmt":"2018-12-18T02:00:19","slug":"metasploit-addition-two-electric-boogaloo","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2018\/12\/metasploit-addition-two-electric-boogaloo\/","title":{"rendered":"Metasploit Addition Two – Electric Boogaloo"},"content":{"rendered":"

What about Linux? Why all the love for Windows? What is this crap?<\/p>\n

The code for linux is a bit different in MSF. They use a modified ELF template that puts the shellcode directly into the end of the file which is built by nasm. Example:<\/p>\n

<\/p>\n

\n
; build with:<\/span>\n;   nasm elf_x86_template.s -f bin -o template_x86_linux.bin<\/span>\n\nBITS<\/span> 32<\/span>\n\norg<\/span> 0x08048000<\/span>\n\nehdr:                            ; Elf32_Ehdr<\/span>\n  db<\/span>    0x7F<\/span>, \"ELF\"<\/span>, 1<\/span>, 1<\/span>, 1<\/span>, 0<\/span>  ;   e_ident<\/span>\n  db<\/span>    0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>,  0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>  ;<\/span>\n  dw<\/span>    2<\/span>                        ;   e_type       = ET_EXEC for an executable<\/span>\n  dw<\/span>    3<\/span>                        ;   e_machine<\/span>\n  dd<\/span>    1<\/span>                        ;   e_version<\/span>\n  dd<\/span>    _start                   ;   e_entry<\/span>\n  dd<\/span>    phdr - $<\/span>                ;   e_phoff<\/span>\n  dd<\/span>    0<\/span>                        ;   e_shoff<\/span>\n  dd<\/span>    0<\/span>                        ;   e_flags<\/span>\n  dw<\/span>    ehdrsize                 ;   e_ehsize<\/span>\n  dw<\/span>    phdrsize                 ;   e_phentsize<\/span>\n  dw<\/span>    1<\/span>                        ;   e_phnum<\/span>\n  dw<\/span>    0<\/span>                        ;   e_shentsize<\/span>\n  dw<\/span>    0<\/span>                        ;   e_shnum<\/span>\n  dw<\/span>    0<\/span>                        ;   e_shstrndx<\/span>\n\nehdrsize equ<\/span>  $<\/span> - ehdr\n\nphdr:                            ; Elf32_Phdr<\/span>\n  dd<\/span>    1<\/span>                        ;   p_type       = PT_LOAD<\/span>\n  dd<\/span>    0<\/span>                        ;   p_offset<\/span>\n  dd<\/span>    $<\/span>                       ;   p_vaddr<\/span>\n  dd<\/span>    $<\/span>                       ;   p_paddr<\/span>\n  dd<\/span>    0xDEADBEEF<\/span>               ;   p_filesz<\/span>\n  dd<\/span>    0xDEADBEEF<\/span>               ;   p_memsz<\/span>\n  dd<\/span>    7<\/span>                        ;   p_flags      = rwx<\/span>\n  dd<\/span>    0x1000<\/span>                   ;   p_align<\/span>\n\nphdrsize equ<\/span>  $<\/span> - phdr\n\nglobal<\/span> _start\n\n_start:\n; MSF puts the shellcode here<\/span>\n<\/pre>\n<\/div>\n
\u00a0<\/p>\n
We would have to generate a new elf template file each time with our date check called prior to shellcode execution. From there, we would have to call our system call functions. Modification of this code however isn’t going very well. Metasploit uses a core class for setting these elf files and modifying the entire thing just to fit this one feature is…hard to say the least. I had considered first writing my stuff in C, then assembly, but this can all be made simpler in Linux with syscalls. The following code piece does the same as we did with windows, except its much smaller \/ easier to implement. Before we show off the assemblers, let’s go over syscalls. Everything in Linux is done via syscalls – everything from opening files to resetting the computer. Think of them as like interrupts for DOS (god I am OLD). As per the Linux man pages: “The system call is the fundamental interface between an application and the Linux kernel.”. Any time a program has to do anything special like read a read or write a file, or fork a new process, a syscall is made. Each architecture on linux will have the same system call table. You can find the syscall table for each architecture on github or the net. I used this one<\/a> for x64 intel. For x86, I used the table here<\/a>. The sys_time system call is used for obtaining the Unix epoch<\/a> which is the number of seconds elapsed since 1970. An example would be 1545094801 in decimal or 0x\u202d5C184691\u202c in hex. This result is stored in a register EAX on x86 or RAX on x64 intel. Our code calls his syscall and compares it against the time we have stored which is supposed to be one months from now or plus an additional 2592000 seconds. Finally we have an old assembly friend for crashing – EB FE – jump two bytes backward from the current position while also moving two spaces forward. An infinite loop in two instructions. And now without further ado, the code:<\/p>\n\n
\n
section<\/span> .text<\/span>\nglobal<\/span> _start<\/span>\n\n_start:<\/span>\n\n; use syscall for epoch, compare it 30 days in future, check if older, crash<\/span>\n;------------------------------------------------------------------------------<\/span>\nmov<\/span> al<\/span>,0x0D<\/span> ;sys_time is 13 vvvv current epoch plus one month<\/span>\nint<\/span> 0x80<\/span> ; only x64 uses syscall instruction, use int 0x80 instead<\/span>\nmov<\/span> ebx<\/span>, 0x58D15D5F<\/span>\ncmp<\/span> eax<\/span>, ebx<\/span>\njge<\/span> rockit<\/span>\nmov<\/span> al<\/span>, 1<\/span> ;exit<\/span>\nint<\/span> 0x80<\/span>\nrockit:<\/span>\ndb<\/span> 0xEB<\/span>\ndb<\/span> 0xFE<\/span>\n<\/pre>\n<\/div>\n
All in all, I have the thing down to 18 bytes with no null bytes.<\/p>\n\n
\n
char<\/span> *<\/span>scode =<\/span> \"<\/span>\\xb0\\x0d\\xcd\\x80\\xbb\\x5f\\x5d\\xd1\\x58\\x39\\xd8\\x7d\\x04\\xb0\\x01\\xcd\\x80\\xeb\\xfe<\/span>\"<\/span>;\n<\/pre>\n<\/div>\n
Here I have the same thing except with x64 code. Not much is different other than the use of the mnemonic ‘syscall’ instead of ‘int 0x80’ and the number of the syscall.<\/p>\n\n
\n
section<\/span> .text<\/span>\nglobal<\/span> _start<\/span>\n\n_start:<\/span>\n\n; use syscall for epoch, compare it 30 days in future, check if older, crash<\/span>\n;------------------------------------------------------------------------------<\/span>\n\nmov<\/span> al<\/span>,0xc9<\/span> ;sys_time 201 vvvv current epoch plus one month<\/span>\nsyscall<\/span>\nmov<\/span> ebx<\/span>, 0x58D15D5F<\/span>\ncmp<\/span> eax<\/span>, ebx<\/span>\njge<\/span> rockit<\/span>\nmov<\/span> al<\/span>, 1<\/span> ;exit<\/span>\nsyscall<\/span>\nrockit:<\/span>\ndb<\/span> 0xEB<\/span>\ndb<\/span> 0xFE<\/span>\n<\/pre>\n<\/div>\n
And here we have our shellcode again:<\/p>\n\n
\n
char<\/span> scoder*<\/span> =<\/span> \"<\/span>\\xb0\\x0d\\xcd\\x80\\xbb\\x5f\\x5d\\xd1\\x58\\x39\\xd8\\x7d\\x04\\xb0\\x01\\xcd\\x80\\xeb\\xfe<\/span>\"<\/span>;\n<\/pre>\n<\/div>\n
Someone once asked me how the heck do you code assembly without the nulls and I said “use the smaller registers so there is no padding”. I could spend a whole blog post on that alone.<\/p>\n
\u00a0<\/p>\n
So how the hell do we take this and implement it in metasploit? We could always modify the template files by adding our check to the bottom just below ‘start’, and that would work for all files, but it would have to be done for EVERY SINGLE TEMPLATE, so its becomes a pain in the ass. Then someone (HD Moore) told me about the ‘PrependEncoder<\/span>‘ option present in Metasploit when writing exploits.<\/p>\n
\"\"<\/a><\/p>\n
Basically it allows us to prepend shellcode to the payload that is executed first. In this case, we are adjusting the size of the stack, but it doesn’t have to be that. Why not add our date check there instead? “\\xb0\\x0d\\xcd\\x80\\xbb\\x5f\\x5d\\xd1\\x58\\x39\\xd8\\x7d\\x04\\xb0\\x01\\xcd\\x80\\xeb\\xfe”; would fit great right there.<\/p>\n
This is basically where I am at with this. I need to figure out how to programmatically add my code via command line argument to new exploits and payloads. And before you ask, I did think about how I would dynamically add the epoch in hex to the assembly in ruby:<\/p>\n
\"\"<\/a><\/p>\n
\u00a0<\/p>\n
My commit is presently in limbo while I try and figure out how to make use of the PrependEncoder option programmatically so until then, this technique is in my posession and not the world’s.<\/p>\n
\"\"<\/a><\/p>\n
\u00a0<\/p>\n
Until next time, happy hacking!<\/p>\n
\"\"<\/a><\/p>\n
\u00a0<\/p>\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
What about Linux? Why all the love for Windows? What is this crap? The code for linux is a bit different in MSF. They use a modified ELF template that puts the shellcode directly into the end of the file which is built by nasm. Example: ; build with: ; nasm elf_x86_template.s -f bin -o […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,6],"tags":[118,117],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1513"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1513"}],"version-history":[{"count":4,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1513\/revisions"}],"predecessor-version":[{"id":1587,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1513\/revisions\/1587"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}