HC-128 Shellcode Crypter (x64)

In this post I will introduce custom shellcode crypter based on HC-128 cipher. Introduction to HC-128 cipher The HC-128 algorithm is a software-efficient, synchronous symmetric stream cipher designed by Hongjun Wu. The cipher makes use of a 128-bit key and 128-bit initialization vector. I will use HC-128 library developed in ECRYPT II project and simple stack execve shellcode. /bin/sh execve …

Creating password protected TCP reverse shell shellcode (x64)

This blog post describes manual creating of password protected TCP reverse shellcode on Intel 64-bit architecture and Linux platform. If you have already read previous blog post how to create bind shell you will find this post very easy to follow as the progress is almost the same. We will start with following C code. Difference between bind and reverse …

Creating password protected TCP bind shell shellcode (x64)

This blog post describes manual creating of password protected TCP bind shell shellcode on Intel 64-bit architecture and Linux platform. We will start with following C code. Bind shell C code analysis Call to socket() creates a connection socket(1) and returns file descriptor(2) which identifies this socket later on. First argument selects the protocol family which will be used for …

Rabbit Shellcode Crypter

In this post I will introduce custom shellcode crypter based on Rabbit cipher. Introduction to Rabbit cipher Rabbit cipher is stream synchronous symmetric cipher using 128-bit key and 64-bit initialization vector. It was developed in 2003 by Martin Boesgaard, Mette Vesterager, Thomas Christensen and Erik Zenner. Source code was released in 2008. This cipher is used mainly in embedded devices, …

Shellcode Polymorphism Examples

In this blog post I will transform three Linux Intel x86 shellcodes via polymorphic patterns. 1. Linux/x86 Force Reboot shellcode Link to original shellcode: http://shell-storm.org/shellcode/files/shellcode-831.php Original shellcode with analysis This shellcode executes /sbin/reboot command via execve() system call stack method. Shellcode length is 36 bytes. Mutated shellcode with analysis Mutated shellcode has size of 54 bytes which is 50% more …

Encoding with MMX-PUNPCKLBW instruction

In this blog post I will describe how to encode/decode arbitrary byte sequence with PUNPCKLBW instruction from MMX instruction set. PUNPCKLBW instruction Arcane denotation PUNPCKLBW stands for Pack/Unpack/Lower/Byte/Word. This instruction is used to combine two data elements into one. See following picture PUNPCKLBW unpacks and interleaves the low-order data elements of the destination operand and source operand into the destination …

Egg Hunters on Linux

In this blog post I will discuss egg hunters. What are egg hunters, why and how to use them. Before I dive into realm of egg hunters it will be convenient to quickly recap basics of VAS (Virtual Address Space) model for Linux platform. VAS – Virtual Address Space For every running process there is created 4GB virtual memory which …

Creating TCP reverse shell shellcode

This blog post describes manual creating of TCP reverse shellcode on Intel 32-bit architecture and Linux platform. If you have already read previous blog post how to create bind shell you will find this post very easy to follow as the progress is almost the same. We will start with following C code. Difference between bind and reverse shell mechanism …

Creating TCP bind shell shellcode

This blog post describes manual creating of TCP bind shell shellcode on Intel 32-bit architecture and Linux platform. We will start with following C code. At first glance this program lacks any debugging and exception handling amenities but from security perspective we need smaller C code: so that the final shellcode fits into tight memory on the target machine which …