Introduction to Windows shellcode development – Part 1

Ionut Popescu10 Comments

Shellcode imageThis article contains an overview of shellcode development techniques and their specific aspects. Understanding these concepts allows you to write your own shellcode. Furthermore, you could modify existing exploits that contain already made shellcode to perform custom functionality that you need.

Introduction

Let’s say you have a working exploit in Internet Explorer or Flash Player that opens calc.exe. This isn’t really useful, is it? What you really want is to execute some remote commands or to do other useful functionality.

In this situation you may want to use standard existing shellcode as the ones from Shell Storm database or generated by from Metasploit’s msfvenom tool. However, you must first understand the basic principles of shellcoding so you can use them effectively in your exploits.

For those who are not familiar with this term, as Wikipedia says:

In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called “shellcode” because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode… Shellcode is commonly written in machine code.

Continue reading

Defcamp 2015

Mihai Gabriel TanaseLeave a comment

Defcamp 2015At the end of November, between 19 and 20, we will be present at Defcamp 2015 Information Security conference. Adrian Furtuna, Technical Manager at KPMG Romania and Ionut Ambrosie, Security Consultant at KPMG Romania will deliver a hands-on workshop on web security.

 

At DefCamp 2015 you will learn how easy your online data can be stolen, how your privacy is violated and what are the techniques used to break critical systems security

Defcamp history

The Internet is perhaps the greatest invention of the twentieth century and made possible, since 2000, the rise in popularity for smart devices such as smartphones and social networks like Facebook, Twitter or LinkedIn. Besides all the benefits it brings, such as instant communication, faster access to services and access to information, privacy and data security are two issues that should concern more and more users.

Continue reading

OWASP Bucharest EEE

Ionut Popescu1 Comment

OWASP Bucharest EEEOWASP Bucharest is happy to announce the next local event, part of OWASP EEE (Eastern European Event), a one day Security and Hacking Conference. It will take place on 9th of October, 2015 – Bucharest, Romania. The OWASP Bucharest Event’s objective is to raise awareness about application security, to make web applications safe and to educate users, developers, governments, and business leaders on how to protect vulnerable information and avoid dangerous hacks that can have a high cost to fix.

  • The conference is free however, you need to register.
  • The workshop has an entrance fee and limited seats.
  • The event will be in English, with cutting-edge topics presented by renowned security professionals: Bogdan Matache, Daniel Tomescu, Alexander Antukh, Teodor Cimpoesu, Cosmin Anghel, Razvan Deaconescu, Adrian Ifrim, Adrian Furtuna and Ionut Ambrosie.

Continue reading

My first Defcon experience

Ionut Popescu2 Comments

Defcon 23Defcon is a meta-conference which anyone passionate by IT security should attend. It is more than a conference, it is the heaven of hackers and security professionals, a place where definitely you will find something both cool and useful, even if you are interested in web security, reverse engineering, social engineering, hardware, lock-picking, Internet of Things or car-hacking topics.

Las Vegas

If Defcon reputation is not enough to get you at the conference, Las Vegas might be another reason to come here. If you don’t like to sleep, have some free time and some money, you’ll surely enjoy Vegas. Casinos and night-clubs are everywhere.

If you didn’t visit Paris or New York, no problem, here you can find the Tour Eiffel and the Statue of the Liberty. You can also visit a lot things: High Roller Wheel, Bellagio Fountain show and Luxor pyramid hotel are just a few examples.

Continue reading

Pivoting to internal network via non-interactive shell

Adrian Furtuna9 Comments

ninja1During a recent penetration test we have experienced the situation where we’ve gained remote code execution with limited privileges to a web server and had to pivot to other hosts from the internal network.

For this, we had to find a reliable method to forward our traffic from our local machine to the internal host via the compromised server. This blog post describes how we solved this situation – for future reference.

Problem details

Our scenario is best described in the diagram below:

port forwarding via php shell

Achieving our goal was not that straight forward since the compromised server was behind a firewall and only ports 80 and 443 were permitted inbound. Furthermore, we were executing commands as www-data user and our non-interactive shell (PHP passthru) was pretty limited.

shell1

 

Continue reading