NetSetMan 4.7.1 Unicode exploit

As part of the this course the first assignment is to create a working exploit against NetSetMan 4.7.1 using a buffer overflow vulnerability. If you wish to follow along, the installer can be found on Exploit-DB. Additionally I’m using a Windows XP SP3 (EN) VM making this a no-ASLR, 32-bit setup. Fuzzing Since the assignment doesn’t state where or how to trigger the overflow we have to fuzz it first, and as it doesn’t expose any network ports this reduces the attack surface to either importing profiles or freeform text input.

Compiling win32 assembly on OpenBSD

Recently I’ve finished the Practical Malware Analysis book and I’ve wanted to familiarise myself a bit more with the Win32 API. After spending a good amount of time on setting up Visual Studio C++ for MASM (Microsoft Macro Assembler) I wanted to stab myself in the eye with a rusty fork due to the overload of visual clutter. Alas, running plain MASM on Windows 10 seems to be a no-go these days.

SLAE64 - Crypter

The seventh and final assignment of the SLAE64 exam states: Create a custom crypto like the one shown in the “crypters” video Free to use any existing encryption schema Can use any programming language Initially I wanted to use the Tiny Encryption Algorithm but decided against it and instead chose the ChaCha20 stream cipher. The reason is that while TEA is an interesting exercise is simplicity, ChaCha20 is much more relevant today.

SLAE64 - Polymorphic shellcode

The sixth assignment of the SLAE64 exam states: Take up to 3 shellcodes from Shell-Storm and create polymorphic version of them to beat pattern matching The polymorphic versions cannot be larger than 150% of the original shellcode Bonus points for making it shorter in length than original When researching polymorphism one is certain to encounter the Polymorphic Shellcode Engine Using Spectrum Analysis article from Phrack Magazine. Our polymorphic versions are a lot simpler than what is described in this seminal article.

SLAE64 - Metasploit analysis

The fifth assignment of the SLAE64 exam states: Take up at least 3 shellcode samples created using Msfvenom (née Msfpayload) for linux/x86_64 Use GDB to dissect the functionality of the shellcode Document your analysis One thing that immediately stands out is the relative lack in diversity when it comes to linux/x64 payloads. In the end I chose the following payloads for my analysis: linux/x64/shell_bind_tcp_random_port linux/x64/shell_bind_tcp linux/x64/shell_reverse_tcp shell_bind_tcp_random_port The latter two payloads I chose because of how often their used and I wanted to determine what exactly they do precisely because of their popularity.

SLAE64 - Custom Encoder

The fourth assignment of the SLAE64 exam states: Create a custom encoding scheme like the “insertion encoder” we showed you PoC with using execve-stack as the shellcode to encode with your schema and execute For this assignment I wrote a script which supports two encoders and it can also help to decode shellcode. I wrote a simple “off-by-one” encoder which increments each byte by 0x1. It’s obviously a pun.

SLAE64 - Egg Hunter

The third assignment of the SLAE64 exam states: Study about the Egg Hunter shellcode Create a working demo of the Egg Hunter It should be configurable for different payloads I for one had not heard before of the concept of an egg hunter so a little searching around led me to a (the?) paper by skape called Safely Searching Process Virtual Address Space published in 2004. In a nutshell an egg hunter is a piece of code that searches the virtual address space (VAS) of a process looking for a predefined marker, called an egg.

SLAE64 - Reverse TCP shellcode

The second assignment of the SLAE64 exam states: Create a Shell_Reverse_TCP shellcode: Reverse connects to configure IP and port Needs a “passcode” If passcode is correct then execute a shell Remove 0x00 from the Reverse TCP shellcode discussed in the course Reverse TCP shellcode This is quite a lot simpler than the previous exercise in that we don’t have to bind to the socket before listening to it and accepting incoming connections.

SLAE64 - Bind TCP shellcode

The first assignment of the SLAE64 exam states: Create a Shell_Bind_TCP shellcode: Binds to a port Needs a “passcode” If passcode is correct then execute a shell Remove 0x00 from the Bind TCP shellcode discussed in the course Shell Bind TCP shellcode The first assignment is to create a shell bind TCP shellcode which requires a passcode to spawn a shell. What happens when a wrong password is entered isn’t defined so I’ll just exit with a non-zero return code.

nasm on OpenBSD

Recently I decided to study for the SLAE64 course from Pentester Academy to work on my assembly knowledge, specifically on x86_64. Through the course does focus on Linux I want to apply the knowledge to OpenBSD/amd64 too and thus I installed NASM and looked at what I needed to adjust on my Linux samples to get it working on OpenBSD. Turns out, not that much actually! Both operating systems use same calling convention, namely the System V AMD64 ABI.