The second assignement of the SLAE64 exam requires the creation of a TCP reverse shell in 64-bit assembly. This type of shell is used by attackers to obtain an interactive shell on a compromised host without the need to peform port forward, or to change firewall rules, as the connection is sent from the victim host to the attacker machine.
Continue reading »The first assignment of the SLAE64 exam is to prepare a TCP bind shell in 64-bit assembly for x86 systems.
Continue reading »As the name implies, Classic DLL Injection is one of the simpliest techniques that one can use for injecting malicious code into remote processes. Due to the way it works, you can't inject into processes with a different bitness, however in this post I'll explain how to adapt it, using some tweaks, to make it work all the time!
Continue reading »We've reached the final obstacle of the SLAE32 exam: the seventh assignment. Students are asked to choose an encryption scheme (in my case Tiny Encryption Algorithm - TEA) and to implement a decrypter in 32-bit x86 assembly code. For the encryption part, I've used Nim, as I wanted for a long time to play with it.
Continue reading »For the third part of the assignment #6 of the SLAE32 assignment, I describe the process to create a polymorphic version of the shellcode "iptables --flush" from shell-storm.org, which flushes all the iptables rules on the system.
Continue reading »The second part of the assignement #6 involves the creation of a polymorphic version of the shellcode "append /etc/passwd & exit()" from shell-storm.org, which, as you can already imagine, appends a new entry in the file /etc/passwd and then exits.
Continue reading »For the sixth assignment of the SLAE32 exam you have to choose three or more shellcodes and make a polymorphic version of each one. When I say "polymorphic" it means mutating the code while retaining the same functionality. There are many different ways to do the same thing e.g., to clear a general purpose register (such as EAX) you can use XOR, or MOV to place the value 0 into it. The goal is to bypass AV signatures, while keeping the original shellcode intact, as regards its functionalities.
Continue reading »For this part of the fifth assignment, I'm analyzing the metasploit shellcode 'linux/x86/shell_reverse_tcp_ipv6', creates a TCP reverse shell, as described for the second assignment, using the IPv6 protocol.
Continue reading »We're in for the third part of the assignement #5 of the SLAE32 exam. This time I'll be covering the shellcode "linux/x86/shell_find_tag" from the Metasploit framework; it reuses an existing TCP connection to spawn a password-protected shell.
Continue reading »