Rabbit shellcode crypter

In this post I will introduce custom shellcode crypter based on Rabbit cipher. Introduction to Rabbit cipher Rabbit cipher is stream synchronous symmetric cipher using 128-bit key and 64-bit initialization vector. It was developed in 2003 by Martin Boesgaard, Mette Vesterager, Thomas Christensen and Erik Zenner. Source code was released in 2008. This cipher is used mainly in embedded devices, …

Shellcode Polymorphism Examples

In this blog post I will transform three Linux Intel x86 shellcodes via polymorphic patterns. 1. Linux/x86 Force Reboot shellcode Link to original shellcode: http://shell-storm.org/shellcode/files/shellcode-831.php Original shellcode with analysis This shellcode executes /sbin/reboot command via execve() system call stack method. Shellcode length is 36 bytes. Mutated shellcode with analysis Mutated shellcode has size of 54 bytes which is 50% more …

Analysis of Metasploit linux/x86/shell_find_port shellcode

This post analyses innards of linux/x86/shell_find_port shellcode. This shellcode spawns a shell on an established connection. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/shell_find_port payload has one option. We will keep CPORT set to default value 40746 Insert generated shellcode into testing C wrapper Shellcode analysis Using libemu sctest gives infinite loop strace output …

Analysis of Metasploit linux/x86/read_file shellcode

This post analyses innards of linux/x86/read_file shellcode. This shellcode reads from the local file system and writes it back out to the specified file descriptor. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/read_file payload has two options. We will keep FD set to 1 (STDOUT) and set path to /etc/passwd. At first glance the …

Analysis of Metasploit linux/x86/adduser shellcode

This post analyses innards of linux/x86/adduser shellcode. Running this shellcode adds custom user with UID=0 to /etc/passwd. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/adduser payload has three options. We will generate shellcode with custom user and password Insert generated shellcode into testing C wrapper Running shellcode as sudoer we get new user someusr …

Encoding with PUNPCKLBW instruction

In this blog post I will describe how to encode/decode arbitrary byte sequence with PUNPCKLBW instruction from MMX instruction set. PUNPCKLBW instruction Arcane denotation PUNPCKLBW stands for Pack/Unpack/Lower/Byte/Word. This instruction is used to combine two data elements into one. See following picture PUNPCKLBW unpacks and interleaves the low-order data elements of the destination operand and source operand into the destination …

Creating TCP reverse shell shellcode

This blog post describes manual creating of TCP reverse shellcode on Intel 32-bit architecture and Linux platform. If you have already read previous blog post how to create bind shell you will find this post very easy to follow as the progress is almost the same. We will start with following C code. Difference between bind and reverse shell mechanism …

Creating TCP bind shell shellcode

This blog post describes manual creating of TCP bind shell shellcode on Intel 32-bit architecture and Linux platform. We will start with following C code. At first glance this program lacks any debugging and exception handling amenities but from security perspective we need smaller C code: so that the final shellcode fits into tight memory on the target machine which …