Assignement Goals (SLAE-1530)
1) Study about the Egg Hunter shellcode.
2) Create a working demo of the Egghunter.
3) Should be configurable for different payloads.
What is an Egg Hunter Shellcode ?
An egg hunter is a very small piece of shellcode designed to find another shellcode in memory (usually a bigger one). To do so, it scans the whole process memory in search of a special pattern. This pattern is called an egg and is preceded from the the second and bigger shellcode. When an egg is found in memory, the egg hunter shellcode will redirect execution flow to the second one.
An egg is composed of 4 bytes (the size of a memory address in x86-32 processors) for example 0x44434241
(ABCD
Little Endian). We generally repeat the egg once to avoid "collisions".
Imagine if we choose ABCD
as our egg, ABCD
is a common string and we could find this pattern at multiple memory location but ABCDABCD
less likely.
ABCD
is not a good choice anyway since it is too common, even if we repeat it. It is important to choose something you don't often see in programs and memory, for example egg!
or 3gg!
.
Assignment Goals (SLAE-1530)
1) Create a TCP Reverse Shellcode for Linux x86-32.
2) The port number should be easily configurable.
3) The IP address should be easily configurable.
3) Bonus if getting referenced in exploit-db or shell-storm.
TCP Reverse Shell Principle
In first exercise we learnt how to create our own TCP Bindshell shellcode using few syscalls (socketcall()
, dup2()
and execve()
).
A reverse shell is almost identical to a classic bindshell, this time instead of having a shellcode that listen for new clients, we will create a shellcode that will connect back to a remote server.
Fortunately, on Linux by default, we do not have any restrictions to manage sockets in client mode.
Local version
You can find another variant of this program which doesn't requires Networking function and also compatible with any application like Netcat, Telnet etc... here : (RunAsAttached)[https://www.phrozen.io/paper/infosec-tools/runasattached]
RunAsAttached (Local) version is more stable.
The goal of Networked version was to demonstrate inter-process communication using Socket programming.
RunAsAttached (Networked) - 32bit / 64bit
RunAsAttached is a program to run a console as another user and keep new console attached to caller console. Support reverse shell mode (Ex: Netcat)
Read more...RunAs Attached (Local) - 32bit / 64bit
Create a new application process as another Microsoft Windows user and attach its inputs / outputs (stdin, stdout, stderr) to caller console.
The new process is interactivly Attached to caller console.
Usage
RunAsAttached.exe -u -p [-d ]
Available on download section
Read more...RunAs (Microsoft Windows) - 32bit / 64bit.
This program is an example about how to easily run any programs as any user.
Usage
Mandatory
-u <username>
: Launch program as defined username.-p <password>
: Password associated to username account.-e <program>
: Executable path (Ex: notepad.exe).
OSWPs are able to identify existing encryptions and vulnerabilities in 802.11 networks. They can circumvent network security restrictions and recover the encryption keys in use.
An OSCP has demonstrated the ability to use persistence, creativity, and perceptiveness to identify vulnerabilities and execute organized attacks under tight time constraints.