SLAE64: Assignment 6 – Polymorphic shellcodes

For assignment 6 of the SecurityTube Linux Assembly Expert certification the idea is to create polymorphic versions of existing shellcodes, specifically taken from shell-storm.org.

A polymorphic version of a shellcode is just the same functionality written with different instructions, registers and including nop instructions to break patterns and prevent detection.

For this assignment I chose the following shellcodes to work with:

  1. Linux/x86-64 – Read /etc/passwd – 82 bytes
  2. Linux/x86-64 – Add map in /etc/hosts file – 110 bytes
  3. Linux/x86-64 – setuid(0) + execve(/bin/sh) – 49 bytes

Continue reading SLAE64: Assignment 6 – Polymorphic shellcodes

SLAE64: Assignment 5 – Metasploit payloads analysis #3

This is the last payload that I’ve debugged so far for the 5th assignment on SecurityTube Linux Assembly Expert certification.

This time I opted by looking at the payload linux/x64/exec with the option to run ‘/bin/sh’.

Continue reading SLAE64: Assignment 5 – Metasploit payloads analysis #3

SLAE64: Assignment 5 – Metasploit payloads analysis #1

For the 5th assignment of the SecurityTube Linux Assembly Expert certification, I needed to analyze some metasploit payloads for Linux x64.

I started by looking at the linux/x64/shell_reverse_tcp.

Continue reading SLAE64: Assignment 5 – Metasploit payloads analysis #1

SLAE64: Assignment 4 – Custom Encoder

This is assignment #4 for the SecurityTube Linux Assembly Expert certification. It consists in the implementation of a custom encoder.

Encoding is a common strategy for obfuscating a shellcode payload as to avoid signature and pattern detection.

Continue reading SLAE64: Assignment 4 – Custom Encoder

SLAE64: Assignment 3 – Egg Hunter

This is the third assignment for the SecurityTube Linux Assembly Expert certification, it consists in the demonstration of my own implementation of an Egg Hunter that works with different payloads.

An Egg Hunter is a piece of code that will search for specific pattern, called the ‘egg’, in memory in order to find it’s address which usually prepends another injected payload containing the actual shellcode.

Continue reading SLAE64: Assignment 3 – Egg Hunter

SLAE64: Assignment 2 – Reverse TCP Shell

This is the second assignment for the SecurityTube Linux Assembly Expert certification, it consists in the creation of a password protected reverse shell.

A reverse shell is similar to a bind shell but instead of waiting passively for remote connections, it actively connects to a specified IP address and redirects STDIN, STDOUT and STDERR to that socket.

Continue reading SLAE64: Assignment 2 – Reverse TCP Shell

SLAE64: Assignment 1 – Bind TCP Shell with password

I’ve been taking the SecurityTube Linux Assembly Expert certification, this is the first assignment, the creation, in assembly, of a password protected bind shell.

A bind shell is essentially an open port on a machine that has STDIN, STDOUT and STDERR redirected to an inbound socket. It gets the name from the bind() system call which is a necessary step for listening on a port.

Continue reading SLAE64: Assignment 1 – Bind TCP Shell with password