Simple shellcode obfuscation
1. Introduction
This article aims to provide you with the different steps needed to develop shellcode obfuscation techniques, and their respective deobfuscator assembly stubs. This should help you to learn a bit more about IDS and Anti-Virus evasion techniques, and more than that, to give you a useful template to create more advanced obfuscations stuffs.
Don’t be confused, we are not talking about shellcode “encoders” since we do neither modify the opcodes nor remove any bad characters. We will just hide the shellcode and – hopefully – break common shellcode patterns. It means that your initial shellcode must already be NULL free or some.
While obfuscating (or encoding) a shellcode with your own method will not help you to bypass all anti-virus software (thanks to sandbox-based AV), it is a useful step to achieve it (but this discussion is out of scope for the moment).
There are 3 main parts in this development:
- Obfuscate the Shellcode with a Perl script (or any other language). The result will print a shellcode in C syntax.
- Write the assembly stub, able to reverse the shellcode in its initial state, and start it.
- Tune the stub to make it reusable and put everything together.
cD00r Knocking backdoor (improved)
1. Introduction
Standard backdoors and remote access services have one major drawback: The port’s they are listening on are visible on the system console as well as from outside (through port scanning).
One of my favorite backdoor is called cd00r (from phenoelit.de). This backdoor will not listen on any port until you send a sequence of TCP SYN packets on a defined port list, and in the correct order. Once the correct list of SYN packet is received by the compromised host, a shell will spawn on a (hard-coded) TCP port, and will wait for you. Brilliant !
In order to successfully use this backdoor, you need at least one TCP port unused and unfiltered by firewall to allow the shell to listen on the network. That port must be seen as “closed” from a port scan.
I’ve decided to improve a bit the backdoor for my self usage. Because I’m a nice guy, I choose to share it with you.
- First, we will remove the hard-coded listening port and let you choose the port dynamically. How ? simply by providing the listening port at the end of the knocking ports list. So basically, you will have to send your defined list of SYN packets to the victim, and then send the port number you’d like to use for the remote shell.
- Secondly, we rewrote the shell part of code to use pseudo-terminal (PTY). Giving us a chance to work on more recent Linux distribution.
1. Introduction
Burp suite is local proxy software (man-in-the-middle application) helping a penetration tester to perform deep analysis and security checks of the HTTP conversation, between a browser and a web application. Burp suite holds many useful plug-ins such as Spider, Repeater, Scanner, Decoder, … for achieving this job.
The module on which we focus on is called Intruder. With this plug-in, you are able to run customised attacks against a Web application, by sending multiple payload type at multiple positions inside the headers/body of an HTTP request, and quickly check against the information responded.
This article provides some intresting SQL payload that you can use with the Intruder module of Burp suite.
Warning: Don’t use this tutorial against web applications if you are not the owner or have the authorization of the responsible.
2. SQL Injection detection
As you know, detect an SQL injection issue “manually” could be easy to do. But it is not always true for an “automatic” vulnerability scanner. That’s why we would like to give a second chance to detect such vulnerabilities with smart “customized attacks” of Burp suite.
In order to find SQL injection issues behind specific parameters of a page, we will simply use some usual time-base consuming SQL statements such as “waitfor delay” (for MS-SQL) and “benchmark()” (for MySQL), and sort the HTTP responses by “Response Time Completed“. By this way, we will able to quickly find the interesting responses among the list.
Manage your evil code with DNS
1. Introduction
This post provides an easy way to manage your software (evil or not) remotely, by using a simple DNS polling function.
Imagine that you have a small piece of code acting as an ethical Trojan, running somewhere on an (infected) computer connected behind several Firewalls and NAT devices, and that this computer is able the make DNS queries against Internet host-names (such as www.google.com). Why don’t use this ability to control your Trojan simply by switching the IP address of an Internet host-name ?
Example: Ask your Trojan to check the IP address of ctrl.mydomain.com on a regular basis (why not using a dynamic DNS hostname?). Based on the return IP address, run a sub routine of the Trojan.
- If IP = 127.0.0.1 , keep sleeping
- If IP = 127.0.1.1 , start something
- If IP = 127.0.1.2 , stop the thing
- If IP = 127.0.2.1 , start another thing
- If IP = 127.0.2.2 , stop the other thing
- If IP = 127.0.9.10 , change DNS polling frequency to 10 minutes
- If IP = 127.0.9.30 , change DNS polling frequency to 30 minutes
- If IP = 127.0.9.120 , change DNS polling frequency to 120 minutes
- …
Create your own Trojan binder
1. Introduction
Sometimes you would like to merge your own piece of code (Trojan, Joke, …) to a legitimate executable file, under Windows or Linux. Unfortunately, binder tools you’ve downloaded from Internet are detected by anti-virus software. Worst, they are virus. Actually, bind two files is not an exploit. With a bit of c/c++ you can easily create your own binder.
This post will explains to you how to create a valid executable file, which contains actually two executable files. We will not write a full binder from scratch, but only provide you the basic idea needed to do it by your self.
1.1. Requirements
- We assume you know how to develop and compile C programs under Linux or Windows.
- hexdump utility.
DHCP Denial of Service with scapy
1. Introduction
This is a small post explaining how to run a starvation attack against a DHCP server with only three lines of code (thanks to Scapy!).
Information & download regarding Scapy :
Information about DHCP Starvation attack :