Since shellcode is usually very small in size, I have used RSA asymmetric encryption to encrypt the shellcode. Most of the code is boilerplate code so there is not much to talk about. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 ...

I have taken shellcode #603 and #859 from shell-storm and created polymorphic version that passed clamav scan. The original version of both shellcodes were detected by clamav scan due to the presence of the /bin/sh string. Breaking up the string caused the modified versions of both shellcodes ...

I would be analysing chunks of the linux/x64/meterpreter/bind_tcp and the linux/x64/shell_bind_tcp and see how they differ. Although both are TCP bind shellcode, the primary difference among them is that the meterpreter shellcode is a staged payload while the other is a stageless payload. As ...

I decided to do something special for the custom encoder shellcode. I used the Intel SSE4.2 CRC32C function to encode the shellcode. CRC32 is a hash function, not an encoding function, so in order to make it an encoder, I had to compute the preimage for each possible byte of the final shellcode ...

As usual, I will only be touching on interesting or unique points in the shellcode. Line 25/26: To avoid having the egg in memory, I moved 0x5090508f into a register and incremented it to get 0x50905090 Line 27: repne scasd searches the next 4 bytes and increments the address searched ...

This shellcode is very similar to the Bindshell TCP shellcode, so please refer to it for the unique and interesting points. There is only 1 additional point I would like to make: Line 8/37: Listen on 127.1.1.1 instead of 127.0.0.1. This saves us from having to nullify the 2 bytes in the middle. ...