- ITSEC Newsletter
- Posts
- Hack In The Box 2023 - Summary
Dates: 2023-04-20 - 2023-04-21
Location: Movenpick Hotel / Amsterdam
Syscalls In Shellcode - Techniques For Malicious Functionality
“In this talk, we will demonstrate ShellWasp, a tool to help bypass the portability problem associated with syscalls, allowing for direct syscalls to easily to be used in shellcode. While there have been many tools and techniques that grant users the ability to use Windows syscalls in higher-level languages, there has been virtually no discussion on how to do so in pure shellcode. In fact, as part of research to build a comprehensive shellcode analysis framework, SHAREM, we were shocked to find after extensive research that syscalls have virtually never been used in Windows shellcode. Aside from one lone example, an early proof of concept from the Windows XP era, which used hardcoded SSNs, ignoring the portability problem associated with syscalls, we could find no other publicly available examples, aside from Egghunters. These egghunters, however, used a single syscall, to search through process memory for a tag, that marked that starting location of a secondary shellcode fragment.”
Red Wizard - A User-friendly Infrastructure For Red Teams
"In this talk I will introduce our new open-source tool called Red Wizard. Red Wizard is the result of years of spinning up repeatable infrastructures for Red Teaming operations. It automates a comprehensive infrastructure deployment with redirectors, backend systems, phishing relays, OSINT machines etcetera. But made easy by providing wizards that walk you through the deployments. Additionally, the infrastructure is self-documenting, making the sharing of all relevant details to your team of operators a breeze."
The Return Of Stack Overflows In The Linux Kernel
"Nftables bugs involving structures such as NFT registers offer just that, as a read primitive can be used to calculate the address of said structures along with other static kernel addresses. Since Nftables hooks run in softirq mode, a fresh, static per-CPU stack is allocated while entering soft interrupt mode, hence defeating the purpose of per-system-call stack randomization. After corrupting some memory and gaining RIP control, I will show how to pivot the stack to our controlled NFT registers, thus defeating SMEP/SMAP since no user space payload is ever involved. As we only have 60 bytes left in the registers, a technique to gain more space to host our ROP chain is necessary, which involves duplicating the initial registers and changing their values in a controlled way."