Shellcode Polymorphism Examples

In this blog post I will transform three Linux Intel x86 shellcodes via polymorphic patterns. 1. Linux/x86 Force Reboot shellcode Link to original shellcode: http://shell-storm.org/shellcode/files/shellcode-831.php Original shellcode with analysis This shellcode executes /sbin/reboot command via execve() system call stack method. Shellcode length is 36 bytes. Mutated shellcode with analysis Mutated shellcode has size of 54 bytes which is 50% more …

Analysis of Metasploit linux/x86/shell_find_port shellcode

This post analyses innards of linux/x86/shell_find_port shellcode. This shellcode spawns a shell on an established connection. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/shell_find_port payload has one option. We will keep CPORT set to default value 40746 Insert generated shellcode into testing C wrapper Shellcode analysis Using libemu sctest gives infinite loop strace output …

Analysis of Metasploit linux/x86/read_file shellcode

This post analyses innards of linux/x86/read_file shellcode. This shellcode reads from the local file system and writes it back out to the specified file descriptor. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/read_file payload has two options. We will keep FD set to 1 (STDOUT) and set path to /etc/passwd. At first glance the …

Analysis of Metasploit linux/x86/adduser shellcode

This post analyses innards of linux/x86/adduser shellcode. Running this shellcode adds custom user with UID=0 to /etc/passwd. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/adduser payload has three options. We will generate shellcode with custom user and password Insert generated shellcode into testing C wrapper Running shellcode as sudoer we get new user someusr …

Encoding with MMX-PUNPCKLBW instruction

In this blog post I will describe how to encode/decode arbitrary byte sequence with PUNPCKLBW instruction from MMX instruction set. PUNPCKLBW instruction Arcane denotation PUNPCKLBW stands for Pack/Unpack/Lower/Byte/Word. This instruction is used to combine two data elements into one. See following picture PUNPCKLBW unpacks and interleaves the low-order data elements of the destination operand and source operand into the destination …

Egg Hunters on Linux

In this blog post I will discuss egg hunters. What are egg hunters, why and how to use them. Before I dive into realm of egg hunters it will be convenient to quickly recap basics of VAS (Virtual Address Space) model for Linux platform. VAS – Virtual Address Space For every running process there is created 4GB virtual memory which …

Creating TCP reverse shell shellcode

This blog post describes manual creating of TCP reverse shellcode on Intel 32-bit architecture and Linux platform. If you have already read previous blog post how to create bind shell you will find this post very easy to follow as the progress is almost the same. We will start with following C code. Difference between bind and reverse shell mechanism …

Creating TCP bind shell shellcode

This blog post describes manual creating of TCP bind shell shellcode on Intel 32-bit architecture and Linux platform. We will start with following C code. At first glance this program lacks any debugging and exception handling amenities but from security perspective we need smaller C code: so that the final shellcode fits into tight memory on the target machine which …

Working Directories and Build locations with Xcode 9 and C++

Introduction This post describes how Xcode manages Project Working Directories and what options do we have to setup it correctly. In the end you learn how to setup custom build locations for you compiled binaries. Definitions: Project Working Directory – is working directory associated with process created by executing built binary Project Directory – is directory with project source code …

Replicating orderbooks from Websocket stream with Python and Asyncio

Introduction We are currently working on time-series database solution for collecting high-frequency crypto-exchanges data – namely for tick data and one-minute orderbook snapshots. We’ve developed REST API collector bots which are continuously fetching data from numerous REST API endpoints and saving them to database. This solution would work in the perfect world but that’s not where we do live. During …