Beginners Guide to 0day/CVE AppSec Research
Boku / Bobby Cooke
LinkedIn • Twitter • GitHub • Exploit-DB • PacketStormSecurity
OSCE|OSWE|WPTX|CRTP|OSCP|SLAE
Red Team
Cobalt Strike
- Defining the Cobalt Strike Reflective Loader
- Creating the “Where Am I” Cobalt Strike BOF
- BokuLoader
- Ninja_UUID_Runner
Azure Cloud
macOS Shellcoding
- macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode (286 Bytes) - exploit-db
- macOS/x64 - Execve Null-Free Shellcode (253 Bytes) - exploit-db
- macOS/x64 zsh RickRolling Shellcode - PacketStormSecurity
Windows Shellcoding
- Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
- Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) - exploit-db
- Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes)
- Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
- Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
- Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
Published
- Libre Health EHR - Remote Code Execution 0-day (Exploit-DB)
- CVE-2020-14972
- CVE-2020-14973
- CVE-2017-1000475 (PoC)
- Exploit Proof of Concepts
- Online Course Registration 1.0 Remote Code Execution (Exploit-DB)
Web Application Pentesting
- Beginners Guide to 0day/CVE AppSec Research
- PHP - File Upload Bypass
- Cross-Site Scripting (XSS) Payloads
Linux/x64 Shellcoding
- Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes) - Exploit-DB
- Linux/x64 Password-Protected Bind Shell
- Linux/x64 No-Null Bind Shell
- Linux/x64 Password-Protected Reverse Shell
- Linux/x64 No-Null Reverse Shell
- Linux/x64 EggHunter
- Linux/x64 Rotate Left Encoder
- Linux/x64 MSF Venom Execve Analysis
- Linux/x64 MSF Venom Reverse Shell Analysis
- Linux/x64 MSF Venom Bind Shell Analysis
- Linux/x64 Polymorphic Execve Shellcode
- Linux/x64 Polymorphic SetUID(root) & Add Root User Shellcode
- Linux/x64 Polymorphic Copy
/etc/passwdto/tmp/ - Linux/x64 Cryptor & Decryptor Shellcode
Windows Shellcoding
- Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
- Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes)
- Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
- Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
- Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
- Enviornment Setup (old)
- WinExec(calc.exe) Shellcode (old)
- Find kernel32.dll within a host process (old)
- Find GetProcAddress() within kernel32.dll (old)
Linux/x86 Shellcoding
- Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
- 1 - TCP Bind-Shell Shellcode
- 2 - Reverse-Shell Shellcode
- 3 - Egghunter Shellcode
- 4 - Rotation Encoder
- 5.1 - Analysis - msfvenom linux/x86/exec
- 5.2 - Analysis - msfvenom linux/x86/chmod
- 5.3 - Analysis - msfvenom linux/x86/adduser
- 6.1 - Polymorphic MMX TCP Bind-Shell Shellcode
- 6.2 - Polymorphic Deactivate ASLR Shellcode
- 6.3 - Polymorphic Add Root-User Shellcode
- 7 - Add-Rotate Shellcode Cryptor
Recent Posts
WebApp PHP - File Upload Bypass
Overview Techniques gathered to bypass PHP file upload filters.
Win32 Find GetProcAddress
Overview
Win32 Dynamic Shellcode
Enviornment Setup See this post to setup your windows xp enviornment
Win32 Shellcoding
Enviornment Setup See this post to setup your windows xp enviornment
Win32 Shellcoding Enviornment Setup
Enviornment Setup
SLAE32 Assignment 7 - Add-Rotate Cryptor
Overview For the seventh assignment of the SLAE32 course we were required to create a custom cryptor and decryptor.
SLAE32 Assignment 6.3 - Polymorphic Add User /etc/passwd
Overview This shellcode is a polymorphic version of zillions w000t-shell.c shellcode. The original shellcode can be found at: http://shell-storm.org/shel...
SLAE32 Assignment 6.2 - Polymorphic ASLR Deactivation
Overview This shellcode is a polymorphic version of Jean Pascal Pereiras x86 ASLR deactivation - 83 bytes shellcode. The final polymorphic version of the...
SLAE32 Assignment 6.1 - Polymorphic MMX Bind Shell
Overview For the sixth assignment in the SLAE32 Exam, we needed to create 3 polymorphic shellcodes; from existing shellcodes at shell-storm.org. What is Po...
SLAE32 Assignment 5.3 - Analyzing MSF adduser
Overview For the fifth assignment in the SLAE32 course we were tasked with analyzing three shellcodes from the Metasploit Framework. In this blog post w...
SLAE32 Assignment 5.2 - Analyzing msf chmod
Overview For the fifth assignment in the SLAE32 course we were tasked with analyzing three shellcodes from the Metasploit Framework. In this blog post w...
SLAE32 Assignment 5.1 - Analyzing MSF exec
Overview For the 5th assignment of the SLAE Exam, I will be analyzing 3 different linux x86 shellcodes created with MSF Venom. The first will be the payloa...
SLAE32 Assignment 4 - Rotation Encoder
Overview For my fourth assignment in the SLAE32 course, I created a custom Rotation Encoder. How this works is to encode the payload, it rotates every bi...
SLAE32 Assignment 3 - Egghunter Shellcode
Overview For our third assignment in the SLAE32 course we were tasked with creating an egghunter. What is an Egg Hunter? An Egghunter is a piece of injec...
SLAE32 Assignment 2 - TCP Reverse-Shell Shellcode
Overview For our second assignment in the SLAE32 course we were tasks with creating reverse shell, shellcode. What is a reverse shell? A reverse shell is a ...
SLAE32 Assignment 1 - TCP Bind-Shell Shellcode
Overview For the first Assigment of the SLAE32 course we were tasked with creating shellcode for a TCP bind-shell.