Assignment Goals (SLAE-1530)

• Create a custom encoding scheme.

• PoC with using execve-stack as the shellcode.

Creating our own encoder

Shellcode encoders are useful for two main reasons:

• Minimize the risk of getting cough by detection systems.
• Avoid bad characters from our original shellcode.

An encoder take a shellcode in input and output a different looking shellcode without affecting it functionality.

The main disadvantage with encoding is that your shellcode size will naturally increase.

Assignement Goals (SLAE-1530)

1) Study about the Egg Hunter shellcode.

2) Create a working demo of the Egghunter.

3) Should be configurable for different payloads.

What is an Egg Hunter Shellcode ?

An egg hunter is a very small piece of shellcode designed to find another shellcode in memory (usually a bigger one). To do so, it scans the whole process memory in search of a special pattern. This pattern is called an egg and is preceded from the the second and bigger shellcode. When an egg is found in memory, the egg hunter shellcode will redirect execution flow to the second one.

An egg is composed of 4 bytes (the size of a memory address in x86-32 processors) for example 0x44434241 (ABCD Little Endian). We generally repeat the egg once to avoid "collisions".

Imagine if we choose ABCD as our egg, ABCD is a common string and we could find this pattern at multiple memory location but ABCDABCD less likely.

ABCD is not a good choice anyway since it is too common, even if we repeat it. It is important to choose something you don't often see in programs and memory, for example egg! or 3gg!.

Assignment Goals (SLAE-1530)

1) Create a TCP Reverse Shellcode for Linux x86-32.

2) The port number should be easily configurable.

3) The IP address should be easily configurable.

3) Bonus if getting referenced in exploit-db or shell-storm.

TCP Reverse Shell Principle

In first exercise we learnt how to create our own TCP Bindshell shellcode using few syscalls (socketcall(), dup2() and execve()).

A reverse shell is almost identical to a classic bindshell, this time instead of having a shellcode that listen for new clients, we will create a shellcode that will connect back to a remote server.

Fortunately, on Linux by default, we do not have any restrictions to manage sockets in client mode.

Local version

You can find another variant of this program which doesn't requires Networking function and also compatible with any application like Netcat, Telnet etc... here : (RunAsAttached)[https://www.phrozen.io/paper/infosec-tools/runasattached]

RunAsAttached (Local) version is more stable.

The goal of Networked version was to demonstrate inter-process communication using Socket programming.

RunAsAttached (Networked) - 32bit / 64bit

RunAsAttached is a program to run a console as another user and keep new console attached to caller console. Support reverse shell mode (Ex: Netcat)

RunAs Attached (Local) - 32bit / 64bit

Create a new application process as another Microsoft Windows user and attach its inputs / outputs (stdin, stdout, stderr) to caller console.

The new process is interactivly Attached to caller console.

Usage

RunAsAttached.exe -u  -p  [-d ]

Available on download section

RunAs (Microsoft Windows) - 32bit / 64bit.

This program is an example about how to easily run any programs as any user.

Usage

Mandatory

• -u <username> : Launch program as defined username.
• -p <password> : Password associated to username account.
• -e <program> : Executable path (Ex: notepad.exe).