Phrozen Timeline - Phrozen
Inno Shellcode Example 21 Jul 2021

InnoSetup Execute Shellcode PoC

This proof of concept demonstrate how to take advantage of InnoSetup Scripting Engine to host local/remote process shellcode payload then execute.

The idea behind this concept is to demonstrate the dangerosity of (self) installers. Not only they can contain malicious programsn, they can also run native code through their scripting engines and evade AV detections because of their natural aspect.

The most difficult part was to understand how to use pointers/refs. Basically from this example, it is possible to create any kind of Malware from scratch (even more complex ones). Feel free to try, if you have any technical questions, feel free to ask for some help.

NASM Shell++ 27 Nov 2020

NASM Shell++ is an enhanced version of the Metasploit Framework NASM Shell.

You can edit instructions, specify bad characters and finally export your final payload in Python, C or CPP

YASE Encoder 27 Nov 2020

YASE (Yet Another Sub Encoder) is a tiny but efficient Sub Encoder to quickly encode your shellcode payloads and thus bypass some common restricted character while exploiting buffer overflows.

This tool will brute force any possible combination to achieve expected result. The advantage of a such approach is to have an output result that always look different.

Postgresql Extension Shellcode Execution 27 Nov 2020

Postgresql offer to developer the possibility to create their own plugins, often called UDF (User Defined Function).

In this paper we will demonstrate how we could take advantage of Postgresql UDF to run malicious code (in this example, shellcode) in a compromised database (Ex: through SQLi).

Notice, we must have sufficient privilege to register a new UDF. This is not always the case.

Assignment N°1 - TCP Bind Shell 14 Oct 2020

Assignment Goals (SLAE-1530)

1) Create a TCP Bindshell Shellcode for Linux x86-32.

2) The port number should be easily configurable.

3) Bonus if getting referenced in exploit-db or shell-storm.

TCP Bindshell Principle

In few words, a TCP Bindshell is a tiny server program that waits for new clients on a specific port.

When a new client connects to the server it will spawn a new shell (Ex: /bin/bash or /bin/sh) and "binds" its file descriptors stdin(0) stdout(1) stderr(2) to the new client socket.

Yes, a socket is nothing more than a file.

One infamous method to easily create a bindshell is to use Netcat as following:

root@local:# mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc -lvp 443 1>/tmp/backpipe

When you connect to port 443 (with any dumb client program ex: Netcat, Telnet) you will get remote control over shell instance.

user@local:$ nc 443

Assignment N°7 - Crypters (Delphi/ASM) 17 Jun 2020

Assignment Goals (SLAE-1530)

  • Create a custom crypter like the one shown in the "crypters" video

  • Free to use any existing encryption schema

  • Can use any programming language

What is the purpose of a Crypter

A crypter is very close to encoders. It is a tiny application designed to encrypt a payload and decrypt the payload at runtime.

The payload is encrypted and embedded inside a host program often called a stub, when the stub is executed, it will decrypt the encrypted payload and redirect execution flow at decrypted payload address. Sometimes execution flow is not redirected but instead a new thread or a new process is created to host the payload execution.

Conversely to encoders, crypters uses complexes encryptions schema (RC4, AES, Blowfish, Camelia etc...) to keep the payload obfuscated. Each time a stub is generated, the encrypted payload will look completely different, it is a good solution to beat signature based detection systems.

Because of their complexity, crypters are often coded with higher level language such as C/C++, Delphi, .NET etc..

Assignment N°6 - Polymorphism 16 Jun 2020

Assignment Goals ( SLAE-1530)

  • Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matching.

  • The polymorphic versions cannot be larger 150% of the existing shellcode.

  • Bonus points for making it shorter in length than original.


On Shell-Storm, you will not always find the original assembly code for shellcodes you choose. To solve this issue, we've created a tiny Python script to convert a shellcode from its string form to raw format (stdout). We can easily pipe output result to Ndisasm and recover an assembly code very close to the original version.

Assignment N°5 - Shellcode Analyzing / Dissecting 15 Jun 2020

Assignment Goals (SLAE-1530)

  • Take up at least 3 shellcode samples created using Msfpayload for Linux/x86.

  • Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode.

  • Present your analysis.

Shellcode Candidates

We will use Msfvenom from Metasploit Framework to generate three different payloads for Linux x86-32.

We can easily enumerate payloads for this architecture and operating system using the following command:

local@user:$ msfvenom -l payloads | grep "linux/x86"

We decided to use the three following payloads:

  1. linux/x86/read_file
  2. linux/x86/chmod
  3. linux/x86/exec
Assignment N°4 - Encoder (NASM) 14 Jun 2020

Assignment Goals (SLAE-1530)

  • Create a custom encoding scheme.

  • PoC with using execve-stack as the shellcode.

Creating our own encoder

Shellcode encoders are useful for two main reasons:

  • Minimize the risk of getting cough by detection systems.
  • Avoid bad characters from our original shellcode.

An encoder take a shellcode in input and output a different looking shellcode without affecting it functionality.

The main disadvantage with encoding is that your shellcode size will naturally increase.

Assignment N°3 - Egg Hunter (C) 13 Jun 2020

Assignement Goals (SLAE-1530)

1) Study about the Egg Hunter shellcode.

2) Create a working demo of the Egghunter.

3) Should be configurable for different payloads.

What is an Egg Hunter Shellcode ?

An egg hunter is a very small piece of shellcode designed to find another shellcode in memory (usually a bigger one). To do so, it scans the whole process memory in search of a special pattern. This pattern is called an egg and is preceded from the the second and bigger shellcode. When an egg is found in memory, the egg hunter shellcode will redirect execution flow to the second one.

An egg is composed of 4 bytes (the size of a memory address in x86-32 processors) for example 0x44434241 (ABCD Little Endian). We generally repeat the egg once to avoid "collisions".

Imagine if we choose ABCD as our egg, ABCD is a common string and we could find this pattern at multiple memory location but ABCDABCD less likely.

ABCD is not a good choice anyway since it is too common, even if we repeat it. It is important to choose something you don't often see in programs and memory, for example egg! or 3gg!.