Linux/x86 IDS evasion shellcode

When I was young I learned from Sergio Alvarez (Shadow), maybe the most skilled shellcoder from Argentina, a lot of the most weird, strange and amazing shellcoding techniques. Shadow is simply awesome.. This is a PoC of shellcode I developed using his technique to self-modifying opcodes to a multipurpose, in this case is to avoid […]

EternalBlue

[Insert the emotion seeing sky from wassab here].. ok, I couldn’t resist exploiting it… yeap!… I’m a bad person with a lot of free time… so: https://gist.github.com/worawit/074a27e90a3686506fc586249934a30e It´s not mine… but it’s so great exploit. Sorry world.. but it’s into my blood being an asshole 0=)

Adding a Windows user with an USB rubber ducky

A lot of time ago I audited a company about ISO 27001.. one of the controls talk about avoiding USB ports. Well, I cheated to evidence the use of a USB memory… I used a USB Rubber Ducky, which actually is a keyboard.. so… it was impossible to stop. .. yes, I sucks. DELAY 5000 GUI […]

kittypushen.c

Here you have one of my favorite guys… I developed it around 2 years ago, maybe. The story is that I had a friend named SparkchicK and we traveled to Guadalajara to find his boyfriend, so I hacked a lot of computers in an university to found him. And.. I don’t know why at this […]

Windows 32bit messagebox shellcode

char quesadilla_de_queso[] = «\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42» «\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03» «\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b» «\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e» «\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c» «\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74» «\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe» «\x49\x0b\x31\xc0\x51\x50\xff\xd7»; int main(int argc, char **argv){int (*f)();f = (int (*)())quesadilla_de_queso;(int)(*f)();}

Hello world!

global _main extern _printf section .text _main: push message call _printf add esp, 4 ret message: db ‘Hello, World’, 10, 0