This post analyses innards of linux/x86/adduser shellcode. Running this shellcode adds custom user with UID=0 to /etc/passwd. Initial shellcode overview and testing Inspect payload options and generate shellcode for analysis linux/x86/adduser payload has three options. We will generate shellcode with custom user and password Insert generated shellcode into testing C wrapper Running shellcode as sudoer we get new user someusr …
Tag: slae
Encoding with MMX-PUNPCKLBW instruction
In this blog post I will describe how to encode/decode arbitrary byte sequence with PUNPCKLBW instruction from MMX instruction set. PUNPCKLBW instruction Arcane denotation PUNPCKLBW stands for Pack/Unpack/Lower/Byte/Word. This instruction is used to combine two data elements into one. See following picture PUNPCKLBW unpacks and interleaves the low-order data elements of the destination operand and source operand into the destination …
Egg Hunters on Linux
In this blog post I will discuss egg hunters. What are egg hunters, why and how to use them. Before I dive into realm of egg hunters it will be convenient to quickly recap basics of VAS (Virtual Address Space) model for Linux platform. VAS – Virtual Address Space For every running process there is created 4GB virtual memory which …
Creating TCP reverse shell shellcode
This blog post describes manual creating of TCP reverse shellcode on Intel 32-bit architecture and Linux platform. If you have already read previous blog post how to create bind shell you will find this post very easy to follow as the progress is almost the same. We will start with following C code. Difference between bind and reverse shell mechanism …
Creating TCP bind shell shellcode
This blog post describes manual creating of TCP bind shell shellcode on Intel 32-bit architecture and Linux platform. We will start with following C code. At first glance this program lacks any debugging and exception handling amenities but from security perspective we need smaller C code: so that the final shellcode fits into tight memory on the target machine which …