I have taken shellcode #603 and #859 from shell-storm and created polymorphic version that passed clamav scan. The original version of both shellcodes were detected by clamav scan due to the presence of the /bin/sh string. Breaking up the string caused the modified versions of both shellcodes ...

I would be analysing chunks of the linux/x64/meterpreter/bind_tcp and the linux/x64/shell_bind_tcp and see how they differ. Although both are TCP bind shellcode, the primary difference among them is that the meterpreter shellcode is a staged payload while the other is a stageless payload. As ...

I decided to do something special for the custom encoder shellcode. I used the Intel SSE4.2 CRC32C function to encode the shellcode. CRC32 is a hash function, not an encoding function, so in order to make it an encoder, I had to compute the preimage for each possible byte of the final shellcode ...

As usual, I will only be touching on interesting or unique points in the shellcode. Line 25/26: To avoid having the egg in memory, I moved 0x5090508f into a register and incremented it to get 0x50905090 Line 27: repne scasd searches the next 4 bytes and increments the address searched ...

This shellcode is very similar to the Bindshell TCP shellcode, so please refer to it for the unique and interesting points. There is only 1 additional point I would like to make: Line 8/37: Listen on 127.1.1.1 instead of 127.0.0.1. This saves us from having to nullify the 2 bytes in the middle. ...

There are many SLAE64 blogposts each explaining their variant of shellcode out there. I thought I would join in the fun. This is my version of the Bindshell TCP shellcode. I'll keep it brief and only list down the interesting or unique points in my shellcode. Line 9: To reduce size, I only ...

When filesystems are mounted on a directory, existing files in that directory are hidden and will not be accessible until the mount point is removed. This is a relatively decent way to thwart or slow down online analysis of a system. A recursive listing of files will not reveal these hidden ...

I recently acquired a cheap used Mikrotik RB250GS to play with port mirroring and VLAN tagging. The switch came with the original SwOS firmware which was buggy to the extent that firmware upgrade over the web interface itself was failing. The other method to update the firmware is through ...