Pentester's life – Try harder… and then go a little deeper.

New blog… but now on Medium

June 16, 2020 — 0 Comments

tools development, web application

JSgen.py – bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings

June 28, 2018 — 7 Comments

web application

Pentesting considerations and analysis on the possibility of full pentest automation

May 4, 2018 — 0 Comments

malware, tools development

Twofish Crypter with DNS (CName) password retrieval, x64 shellcode decryption, and execution

February 2, 2018 — 2 Comments

Polymorphic and smaller versions of three shell-storm’s x64 shellcodes, including the smallest execve /bin/sh

January 13, 2018 — 2 Comments

Custom x64 encoder with a basic polymorphic engine implementation

December 18, 2017 — 14 Comments

malware, tools development

x64 Egg hunting in Linux systems

November 24, 2017 — 7 Comments

malware, tools development

x86_64 reverse TCP bind shell with basic authentication on Linux systems

November 13, 2017 — 6 Comments

malware, tools development

x86_64 TCP bind shellcode with basic authentication on Linux systems

November 1, 2017 — 10 Comments

tools development, web application

Bypassing CSRF tokens with Python’s CGIHTTPServer to exploit SQLi

October 9, 2017 — 0 Comments

New blog… but now on Medium

I’m moving to Medium (0x4ndr3) and days ago I wrote a new blog there, which will be the place I’ll be writing from now on.

JSgen.py – bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings

I wrote a Python script (JSgen.py) to generate javascript code to be injected in case you find a Server Side Javascript Injection (SSJI). It supports both bind and reverse shells, and also two well known encodings – hex and base64 – as well as a third one – caesar’s cipher – to help in bypassing weak filters.

Pentesting considerations and analysis on the possibility of full pentest automation

So, when we speak of automation in this scenario, it’s important to distinguish between three desirable features that ought to be guaranteed in the process:
Accurately rating the findings; Not causing collateral damage; and Detection.
So let’s take a look at each.

Twofish Crypter with DNS (CName) password retrieval, x64 shellcode decryption, and execution

A crypter is code that decrypts a previously encrypted payload, in this case a shellcode, and will then execute it. To encrypt it, and not do it as most others have, I chose one of the algorithms that went through the final round of AES: Twofish, by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. But to make this one unique, I decided not to request the password to decrypt the payload from the user (usually as the first parameter to the executable in the command line) but, instead, to get it from a DNS request (CNAME record).

Polymorphic and smaller versions of three shell-storm’s x64 shellcodes, including the smallest execve /bin/sh

[Update 13 Jan 2018] ExploitDB has published the 3 shellcodes written in this blog post. Linux/x86-64 – Execute /bin/sh Shellcode (24 bytes) Linux/x86-64 – Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes) Linux/x86-64 – execve(“/sbin/iptables”, [“/sbin/iptables”, “-F”], NULL) Shellcode (43 bytes) Looking at the smallest x64 shellcodes (section Linux / Intel x86-64) in […]