HC-128 Shellcode Crypter (x64)

In this post I will introduce custom shellcode crypter based on HC-128 cipher. Introduction to HC-128 cipher The HC-128 algorithm is a software-efficient, synchronous symmetric stream cipher designed by Hongjun Wu. The cipher makes use of a 128-bit key and 128-bit initialization vector. I will use HC-128 library developed in ECRYPT II project and simple stack execve shellcode. /bin/sh execve …

Shellcode Polymorphism Examples (x64)

This blog post shows polymorphic transformation of three Linux Intel x64 shellcodes. 1. Dynamic null-free reverse TCP shell Link to original shellcode: http://shell-storm.org/shellcode/files/shellcode-907.php Original shellcode with analysis push byte 41 pop rax ; syscall number 41, int socket(int domain, int type, int protocol) cdq ; zeroing RDX via sign extension push byte 2 pop rdi ; RDI = 2, int …

Analysis of Metasploit linux/x64/exec shellcode

linux/x64/exec utilizes -c flag of system command interpreter (ie. dash on Ubuntu systems) and executes given command in non-login and non-interactive session. Important is that given command is executed as string operand instead being read from stdin. Consider following shell command $ sudo echo “foo” >> /etc/passwd bash: /etc/passwd: Permission denied The above redirection will not work because sudo is …

Encoding with SSE2-PADDQ instruction (x64)

This blog post introduces PADDQ instruction from intel SIMD – SSE2 extension and how it can be used to encode and decode a shellcode. Developed encoder creates polymorphic shellcode – however the decoder assembly stub remains static. PADDQ instruction PADDQ instruction simply adds 2 packed qwords in the first operand to corresponding 2 packed qwords in the second operand. First …

Creating password protected TCP reverse shell shellcode (x64)

This blog post describes manual creating of password protected TCP reverse shellcode on Intel 64-bit architecture and Linux platform. If you have already read previous blog post how to create bind shell you will find this post very easy to follow as the progress is almost the same. We will start with following C code. Difference between bind and reverse …

Creating password protected TCP bind shell shellcode (x64)

This blog post describes manual creating of password protected TCP bind shell shellcode on Intel 64-bit architecture and Linux platform. We will start with following C code. Bind shell C code analysis Call to socket() creates a connection socket(1) and returns file descriptor(2) which identifies this socket later on. First argument selects the protocol family which will be used for …

Rabbit Shellcode Crypter

In this post I will introduce custom shellcode crypter based on Rabbit cipher. Introduction to Rabbit cipher Rabbit cipher is stream synchronous symmetric cipher using 128-bit key and 64-bit initialization vector. It was developed in 2003 by Martin Boesgaard, Mette Vesterager, Thomas Christensen and Erik Zenner. Source code was released in 2008. This cipher is used mainly in embedded devices, …

Shellcode Polymorphism Examples

In this blog post I will transform three Linux Intel x86 shellcodes via polymorphic patterns. 1. Linux/x86 Force Reboot shellcode Link to original shellcode: http://shell-storm.org/shellcode/files/shellcode-831.php Original shellcode with analysis This shellcode executes /sbin/reboot command via execve() system call stack method. Shellcode length is 36 bytes. Mutated shellcode with analysis Mutated shellcode has size of 54 bytes which is 50% more …

Analysis of Metasploit linux/x86/shell_find_port shellcode

This post analyses innards of linux/x86/shell_find_port shellcode. This shellcode spawns a shell on an established connection. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/shell_find_port payload has one option. We will keep CPORT set to default value 40746 Insert generated shellcode into testing C wrapper Shellcode analysis Using libemu sctest gives infinite loop strace output …

Analysis of Metasploit linux/x86/read_file shellcode

This post analyses innards of linux/x86/read_file shellcode. This shellcode reads from the local file system and writes it back out to the specified file descriptor. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/read_file payload has two options. We will keep FD set to 1 (STDOUT) and set path to /etc/passwd. At first glance the …