Analyzing MSFVenom Payloads with Binary Ninja | Linux x86_64

Introduction

In efforts to learn more about Binary Ninja, we will be taking apart three shellcode samples generated via msfvenom. Please note that disassemblers in general including Binary Ninja are fairly new to me and as such this will be a learning experience to me as much as it will be to you.

Shellcode I

First, we’ll look at exec option and generate payload that will run whoami command.

Will use the comment section in Binary Ninja to explain the shellcode as I feel it would be easier to digest this way.

Shellcode II

Next, we will be looking at stage-less reverse shell with localhost IP address and default port of 4444.

Let’s disassemble it.

Shellcode III

Lastly, will dissect stage-less bind shell that listen on all interfaces on port 4444 (default).

And the analysis.

Closing Thoughts

I really like Binary Ninja and plan on using it more often moving forward. All of the above binaries are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579

Leave a Reply

Your email address will not be published. Required fields are marked *