voidsec2020-04-04T15:38:34+00:00Assignment #7: Custom Shellcode Crypter
Seventh and last SLAE’s assignment requires to create a custom shellcode crypter.Since I had to implement an entire encryption schema both in python as an helper and in assembly as the main decryption routine, I've opted for something simple. I've chosen the Tiny Encryption Algorithm (TEA) as it does not require large IV or SBOX initialization vectors (adding a huge overhead to my shellcode's decoding routine), because it's tiny and not too complex to re-implement.As...
voidsec2020-04-02T14:39:56+00:00Assignment #6: Polymorphic Shellcode
Sixth SLAE’s assignment requires to create three different (polymorphic) shellcodes version starting from published Shell Storm's examples.I've decided to take this three in exam:http://shell-storm.org/shellcode/files/shellcode-752.php - linux/x86 execve ("/bin/sh") - 21 bytes
http://shell-storm.org/shellcode/files/shellcode-624.php - linux/x86 setuid(0) + chmod("/etc/shadow",0666) - 37 bytes
http://shell-storm.org/shellcode/files/shellcode-231.php - linux/x86 open cd-rom loop (follows "/dev/cdrom" symlink) - 39 bytesAs always, all the code is also available on GitHub.Stay updated, join VoidSec's Telegram Channel: https://t.me/voidsec_updates
; http://shell-storm.org/shellcode/files/shellcode-752.phpxor ecx, ecx
push 0x68732f2f ...
voidsec2020-04-02T14:24:28+00:00Assignment #5: Metasploit Shellcode Analysis
Fifth SLAE’s assignment requires to dissect and analyse three different Linux x86 Metasploit Payload.Metasploit currently has 35 different payloads but almost half of it are Meterpreter version, thus meaning staged payloads. I’ve then decided to skip meterpreter payloads as they involve multiple stages and higher complexity that will break libemu graph generation (which I find very useful to better explain shellcode’s operations).In this blog we are going to analyse the following shellcodes:linux/x86/shell_find_tag
voidsec2020-03-17T11:14:59+00:00Assignment #4: Custom Shellcode Encoder
As the 4th SLAE’s assignment I was required to build a custom shellcode encoder for the execve payload, which I did, here how.Stay updated, join VoidSec's Telegram Channel: https://t.me/voidsec_updates
I’ve decided to not relay on XORing functionalities as most antivirus solutions are now well aware of this encoding schema, the same reason for which I’ve skipped ROT13 and other “rotating” encoding. I thought of using some multiple weird shifting schema but that would have had...
voidsec2020-03-13T09:49:32+00:00Assignment #3: Egghunter
This time the assignment was very interesting, here the requirements: study an egg hunting shellcode and create a working demo, it should be configurable for different payloads.As many before me, I’ve started my research journey with Skape’s papers: “Searching Process Virtual Address Space”. I was honestly amazed by the paper content, it’s not only very well written and explained but it ‘s mind-blowing. Understanding why and how egg hunter shellcode should be crafted in such tailored way...
voidsec2020-03-13T09:49:22+00:00Assignment #2: Reverse TCP Shell
Create a shell_reverse_tcp shellcode that connects back to an IP address, on a specific a port and execute a shell. The IP address and port number should be easy configurable.Again, instead of going for the path of writing a C TCP reverse shell from scratch, I decided to generate a raw Metasploit payload and analyze it with libemu.
Analyzing the Shellcode
All the code is also available on GitHub.This time the analysis will be a lot shorter...
voidsec2020-03-13T14:56:23+00:00Before attending the Corelan training and the OSCE certification, I’ve decided to start the x86 Assembly Language and Shellcoding on Linux Pentester Academy’s course.The next couple blogs (~7) will contains the assignments’ solutions for the SLAE certification exam.
Assignment #1: Bind TCP Shell
Create a shell_bind_tcp shellcode that binds to a port and execute a shell on an incoming connection, the port number should be easy to configure.Instead of going for the path of writing a C bind TCP shell from...