Anurag's Blog

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding -  http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ AGENDA  :   : 1. Introduction to Egg Hunter 2. Dummy Algo of Egg Hunter 3. Writing Egg Hunter Shellcode 4. Wrapper Script to generate shellcode with custom EGG tag 1.  Introduction to Egg Hunters Egg Hunter  :- Fuzzysecurity says : The egg hunter is composed of a set of programmatic instructions that are translated to opcode and in that respect it is no different than any other shellcode (this is important because it might also contain badcharacters!!). The purpose of an egg hunter is to search the entire memory range (stack/heap/..) for our final stage shellcode and redirect execution flow to it. After reading a lot of blog post I found this common paper link so thought of going through it.The paper contains very good infor...

Reverse TCP Shellcode - Linux x86  (Null free[assuming port no. to be null free]/PI) Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding -  http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ AGENDA  :   : 1. Introduction to Reverse Shell 2. Analysis of Reverse Shell 3. Writing Reverse Tcp Shellcode 4. Wrapper Script to generate shellcode with custom ip and port   1.  Introduction to Reverse shell Reverse Shell  :- With a reverse shell,target system connects back your system.Your system has a listener port on which it receives the connection back from the target system. 2.  Analysis of Metasploit Reverse Shell through Libemu  From above diagram it is clear that main syscalls are :   socket,,dup2,connect and execve  3.  Writing Reverse TCP Shellcode  Lets look for syscalls number and a...

Bind TCP Shellcode - Linux x86  (Null free/PI) Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding -  http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ AGENDA : 1. Introduction to Bind shell 2. Analysis of Bind Shell 3. Writing Bind tcp shellcode 1.  Introduction to Bind shell Bind Shell :- With a bind shell, you open up a communication port or a listener on the target machine. The listener then waits for an incoming connection, you connect to it, the listener accepts the connection and gives you shell access to the target system. I would define bind shell with reference to above diagram  : First Step : a bind shell basically opens a port(listener port) on target machine and waits for incoming requests on that port Second Step : An Attacker try to connect using the target ip address and target listner port and gets a shell :) 2. ...

Exit in Assembly : For writing exit assembly program we need to check exit syscall reference number . I use this online man page : https://syscalls.kernelgrok.com / From above we can conclude that for exit system call we need 2 registers : [x] EAX => Eax should contain exit sys call number (0x01) [x] EBX => Ebx should contain  error code (0 for normal exit) A good shell-code : [x] Should be Null free [x] Smaller in length [x] Position Independent Below is my code : I wrote a small script to compile and assemble nasm program and extract the shellcode from it then saving the shellcode into a c file and compiling the new c program. Here is my script : Tweaked some instructions :p Next you can debug and check the execution in gdb by setting breakpoints and stepping instructions one by one . Below is my gdb console before calling interrupt int 0x80 showing the value of eax and ebx as expected :)