A crypter is code that decrypts a previously encrypted payload, in this case a shellcode, and will then execute it. To encrypt it, and not do it as most others have, I chose one of the algorithms that went through the final round of AES: Twofish, by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. But to make this one unique, I decided not to request the password to decrypt the payload from the user (usually as the first parameter to the executable in the command line) but, instead, to get it from a DNS request (CNAME record).
[Update 13 Jan 2018] ExploitDB has published the 3 shellcodes written in this blog post. Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes) Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes) Linux/x86-64 - execve("/sbin/iptables", ["/sbin/iptables", "-F"], NULL) Shellcode (43 bytes) Looking at the smallest x64 shellcodes (section Linux / Intel x86-64) in … Continue reading Polymorphic and smaller versions of three shell-storm’s x64 shellcodes, including the smallest execve /bin/sh
I'll develop a python encoder that will XOR the payload, byte by byte, with a randomly generated byte value, and also generate a polymorphic stub in x64 to decode that payload, by brute-forcing all 256 possibilities. Even though bypassing anti-virus systems is not the only purpose of encoders, it certainly is the most exciting one, and hence the detailed focus on this one subject throughout this post.
There isn't much when it comes to egg hunters, and even less when it comes to x64 ones. And the ones out there on exploit-db and shell-storm do leave a lot to be explained, and some... let's just say I can't imagine the authors even bothered to test them, let alone read Skape's paper on Safely Searching … Continue reading x64 Egg hunting in Linux systems
The objective here is to create a reverse TCP bind shell using Assembly x64, which will authenticate the attacker through a password, and have no Null bytes (0x00) in it.
The objective here is to create a tcp_bind_shell using Assembly x64, which will ask for a passcode, and have no null bytes in it.
There are ways to configure Burp using macros to bypass CSRF tokens on HTML forms, so we can use Burp Active Scans, Burp Intruder, Burp Repeater, and (cautiously) even Burp Proxy. There's also Grep-Extract and pitchfork attack type specifically for Intruder. And, you might even develop your Burp Extension to do it. Sqlmap has a --csrf-token and a --csrf-url for the same purpose, or you can just configure Burp as previously stated, and run sqlmap through Burp using --proxy. Now, here's another way, using CGIHTTPServer from python.
Most people would know that the HSTS HTTP Header tells the browser to not even try the HTTP port, but instead to go straight to HTTPS. But not a lot of people would know the other security feature to this header: that it will prevent the browser from giving the user the option to accept an invalid certificate.
I love developing tools that will help me automate any repetitive tasks, or diminish the efforts put forth in complex ones. And I've also been in love with Python since forever, so I decided to address a few topics that are not usually addressed.