SLAE64 - Polymorphic shellcode
The sixth assignment of the SLAE64 exam states:
Take up to 3 shellcodes from Shell-Storm and create polymorphic version of them to beat pattern matching The polymorphic versions cannot be larger than 150% of the original shellcode Bonus points for making it shorter in length than original When researching polymorphism one is certain to encounter the Polymorphic Shellcode Engine Using Spectrum Analysis article from Phrack Magazine.
Our polymorphic versions are a lot simpler than what is described in this seminal article.
SLAE64 - Metasploit analysis
The fifth assignment of the SLAE64 exam states:
Take up at least 3 shellcode samples created using Msfvenom (née Msfpayload) for linux/x86_64 Use GDB to dissect the functionality of the shellcode Document your analysis One thing that immediately stands out is the relative lack in diversity when it comes to linux/x64 payloads. In the end I chose the following payloads for my analysis:
linux/x64/shell_bind_tcp_random_port linux/x64/shell_bind_tcp linux/x64/shell_reverse_tcp shell_bind_tcp_random_port The latter two payloads I chose because of how often their used and I wanted to determine what exactly they do precisely because of their popularity.
SLAE64 - Custom Encoder
The fourth assignment of the SLAE64 exam states:
Create a custom encoding scheme like the “insertion encoder” we showed you PoC with using execve-stack as the shellcode to encode with your schema and execute For this assignment I wrote a script which supports two encoders and it can also help to decode shellcode.
I wrote a simple “off-by-one” encoder which increments each byte by 0x1. It’s obviously a pun.
SLAE64 - Egg Hunter
The third assignment of the SLAE64 exam states:
Study about the Egg Hunter shellcode Create a working demo of the Egg Hunter It should be configurable for different payloads I for one had not heard before of the concept of an egg hunter so a little searching around led me to a (the?) paper by skape called Safely Searching Process Virtual Address Space published in 2004.
In a nutshell an egg hunter is a piece of code that searches the virtual address space (VAS) of a process looking for a predefined marker, called an egg.
SLAE64 - Reverse TCP shellcode
The second assignment of the SLAE64 exam states:
Create a Shell_Reverse_TCP shellcode: Reverse connects to configure IP and port Needs a “passcode” If passcode is correct then execute a shell Remove 0x00 from the Reverse TCP shellcode discussed in the course Reverse TCP shellcode This is quite a lot simpler than the previous exercise in that we don’t have to bind to the socket before listening to it and accepting incoming connections.