SLAE64 - Crypter
The seventh and final assignment of the SLAE64 exam states:
Create a custom crypto like the one shown in the “crypters” video Free to use any existing encryption schema Can use any programming language Initially I wanted to use the Tiny Encryption Algorithm but decided against it and instead chose the ChaCha20 stream cipher. The reason is that while TEA is an interesting exercise is simplicity, ChaCha20 is much more relevant today.
SLAE64 - Polymorphic shellcode
The sixth assignment of the SLAE64 exam states:
Take up to 3 shellcodes from Shell-Storm and create polymorphic version of them to beat pattern matching The polymorphic versions cannot be larger than 150% of the original shellcode Bonus points for making it shorter in length than original When researching polymorphism one is certain to encounter the Polymorphic Shellcode Engine Using Spectrum Analysis article from Phrack Magazine.
Our polymorphic versions are a lot simpler than what is described in this seminal article.
SLAE64 - Metasploit analysis
The fifth assignment of the SLAE64 exam states:
Take up at least 3 shellcode samples created using Msfvenom (née Msfpayload) for linux/x86_64 Use GDB to dissect the functionality of the shellcode Document your analysis One thing that immediately stands out is the relative lack in diversity when it comes to linux/x64 payloads. In the end I chose the following payloads for my analysis:
linux/x64/shell_bind_tcp_random_port linux/x64/shell_bind_tcp linux/x64/shell_reverse_tcp shell_bind_tcp_random_port The latter two payloads I chose because of how often their used and I wanted to determine what exactly they do precisely because of their popularity.
SLAE64 - Custom Encoder
The fourth assignment of the SLAE64 exam states:
Create a custom encoding scheme like the “insertion encoder” we showed you PoC with using execve-stack as the shellcode to encode with your schema and execute For this assignment I wrote a script which supports two encoders and it can also help to decode shellcode.
I wrote a simple “off-by-one” encoder which increments each byte by 0x1. It’s obviously a pun.
SLAE64 - Egg Hunter
The third assignment of the SLAE64 exam states:
Study about the Egg Hunter shellcode Create a working demo of the Egg Hunter It should be configurable for different payloads I for one had not heard before of the concept of an egg hunter so a little searching around led me to a (the?) paper by skape called Safely Searching Process Virtual Address Space published in 2004.
In a nutshell an egg hunter is a piece of code that searches the virtual address space (VAS) of a process looking for a predefined marker, called an egg.
SLAE64 - Reverse TCP shellcode
The second assignment of the SLAE64 exam states:
Create a Shell_Reverse_TCP shellcode: Reverse connects to configure IP and port Needs a “passcode” If passcode is correct then execute a shell Remove 0x00 from the Reverse TCP shellcode discussed in the course Reverse TCP shellcode This is quite a lot simpler than the previous exercise in that we don’t have to bind to the socket before listening to it and accepting incoming connections.
SLAE64 - Bind TCP shellcode
The first assignment of the SLAE64 exam states:
Create a Shell_Bind_TCP shellcode: Binds to a port Needs a “passcode” If passcode is correct then execute a shell Remove 0x00 from the Bind TCP shellcode discussed in the course Shell Bind TCP shellcode The first assignment is to create a shell bind TCP shellcode which requires a passcode to spawn a shell. What happens when a wrong password is entered isn’t defined so I’ll just exit with a non-zero return code.