echo "0xHat Security"

Egg Hunter is a technique that is used to run shellcode when the buffer space is too small to accommodate the shellcode. So the concept of egg hunter is to put a unique string in the memory also known as "TAG" or "EGG" and we will search for the occurrence of this tag and just next to the tag we will put the shellcode. The egg hunter payload ( which is smaller in size compared to the payload ) will search for the tag and once it finds the tag, its control will jump to that location and thus execute the payload in the process Algorithm for implementation start()      STEP 1 : store unique string in EBX      STEP 2 : align() address and update in EDX      STEP 3 : increase_address()      STEP 4 : check_if_efault_occurred_while_accessing_the_memory()                      if yes:                               GOTO STEP 2                    else:                              STEP 5 : check if the memory location has the TAG value()                        

In this blog post we will implement a custom encoding scheme and implement a custom decoder for it. The implementation of the encoder Copy some existing shellcode For each shellcode value xor with 0x1 Append twice the same value. Print the final shellcode We need to remember the actual size of the shellcode without encoding For example if my shellcode looks like "\xa1\xb2\c3\d4' the encoder will generate "\xa0\xa0\xb3\xb3\x5d\x5d\x62\x62\x32\x32\x5d\x5d\x65\x65\x35\x35" The implementation of the decoder Take the encoded shellcode As .text section locations are not writable, we will create some reserved space in .bss segment Read pointer ESI to read from the encoded shellcode location and a write pointer EDI to write the decoded shellcode. Read each alternative positions of encoded shellcode because each value is repeated. For each byte we read , we will xor with 0x1 and then store at the location pointed by EDI Increase read read counter by 2

In this blog post I will analyze 3 shellcodes created using msfvenom Shellcode 1: linux/x86/adduser shellcode Command Used :  msfvenom --platform linux --arch x86 --payload linux/x86/adduser USER=slae PASS=slaeslae -i0 -fc Static Analysis Our first analysis is with ndisam tool, where we tried to recreate the equivalent instruction from the raw hex string. Dynamic Analysis r2 disassembly  Libemu was not able to do much for this shellcode. Neither it could generate any equivalent code for the shellcode nor any call graph for it. Shellcode 2: linux/x86/chmod shellcode Command Used :  msfvenom --platform linux --arch x86 --payload linux/x86/chmod FILE=/etc/shadow MODE=0666 -i0 -fc Static Analysis Our first analysis is with ndisam tool, where we tried to recreate the equivalent instruction from the raw hex string. Dynamic Analysis r2 disassembly  Call Graph generated by libemu emulation stepcount 12 [emu 0x0x88f3078 debug ] cpu state    eip=0x00

The word polymorphic comes from two words ( poly - many , morph - shape ). It means the existence of same thing in multiple form. Similarly in shellcode with same functionality can be written in multiple ways with a motive mostly to obfuscate and bypass malware detection service. In this post I will take up 3 shellcodes from shell-storm and try to create the polymorphic versions of the shellcode. For each polymophic shellcode I have used a different technique. Shellcode 1: Exit Shellcode ( http://shell-storm.org/shellcode/files/shellcode-623.php ) Size : 8 bytes  31  c0    xor eax,eax  b0  01    mov al,0x1  31  db    xor ebx,ebx  cd  80    int 0x80 We can see that at line 3 the code is xor'ing out ebx and it is storing the value 0 at the time of the the execution of the program. The value which ebx stores is the value that is returned after a program exits. Generally from the exit values we can determine the type of exits, if it was a clean exit or some abnormal terminat

A crypter is a tool that obfuscate / encrypt any executable to make the executable difficult to analyze by debugger or to make it undetectable by malware analysis software. Here in this exercise we are supposed to create a custom crypter I am using the slight concept of one-time pad using the XOR operation to achieve it. In XOR, the property is A ^ B = C and C ^ B = A genkey.py Add the original shellcode to the script Add any random passcode , but keep it shorter or equal to the length of the shellcode Fixed character will be added to passcode if the length is lesser than size of shellcode and it will be the key Copy the shellcode to an array Copy the key to an array Copy the shellcode to another array, called cipher( we will overwrite this array) For each element in shellcode XOR  each element in key , and store them in the cipher array Run the program and obtain the xorkey and the encrypted_shellcode assignment7.c Copy the encrypted_shellcode and put in in o

Back in 2017 Metasploit had introduced Hardware Bridge API. It is recently that I learnt about its existence and hence I decided to give it a try. Currently I don't have a real automotive hardware at my home lab to do these tasks, so I decided to explore with some virtual network and devices ( yeah life sucks sometimes !  ) So whats to cool about the Metasploit Hardware Bridge API ? Just like metasploit provides a framework with some various integrations with tools, management of exploitation process ( enum, exploit , post exploitation, etc ) , similarly Metasploit Hardware Bridge API does the same thing for Hardware/Physical devices. As of now there are few good opensource tools ( cantools, caringcaribou, scappy ,etc)  which are into automotive security testing. However they lack  proper framework support ( something that metasploit provides in software exploitation ). Hence I was quite eager to try this feature of Metasploit. In this post I will provide a overall features