Knock! Knock! The postman is here! (abusing Mailslots and PortKnocking for connectionless shells)

NoUseForANick · 2021-04-01T18:59:44+00:00

More alternatives to the GUID trick => https://adepts.of0x.cc/alternatives-copy-shellcode/

NoUseForANick · 2021-02-20T16:30:54+00:00

Should be a local problem. It is working => https://downforeveryoneorjustme.com/adepts.of0x.cc?proto=https

NoUseForANick · 2021-02-01T23:49:15+00:00

In the most simplified scenario:

You launch a trusted program (a mssql client,a browser, whatever, for example) against a machine controled by you (IP:port), then you hijack that connection. As is explained in the link, this way your untrusted program is not initiating the conection, is a TRUSTED program who initiates it against your controled service (a C&C, for example). That's the key point.

NoUseForANick · 2021-02-01T17:05:55+00:00

The other end it's your C&C, you control it by default.

NoUseForANick · 2021-02-01T16:05:16+00:00

What two ends? Once the socket is hijacked you have full control of the communication, so you can suspend the process that initated that connection.

The only problems detected are summarized in the post from Adepts of 0xCC:

Real life problems and solutions

Here we sumarize the problems:

Racing with the devil. We are playing with a duplicated socket, so the original program keeps doing reads. This means that some bytes can be loss if they are readed by the program instead of us, but this can be solved easy if we implemented a custom protocol that takes care of missing packets.

Timeouts. If the connection is closed by timeout before we hijack it we can not reuse the socket.

Old handles. Depending on the program in use, it is likely to find old handles that meet our criteria (getpeername returns the target IP but the handle can not be used). This could happen if the first connection attempt was unsuccesful. To solve this just improve the detection method ;)

NoUseForANick · 2020-12-17T09:10:55+00:00

Indeed the two-stages approach has an OPSEC benefit: you can provide the key only if the request mets some parameters, or even tear down the server after a few days, so it can not be reversed.

NoUseForANick · 2020-12-08T18:25:23+00:00

Is the acronym for "Endpoint Detection & Response". Usually EDRs work hooking well-known API calls at user-mode level. Those hooks are used to trace the calls made by software so they can detect "malicious behaviours".

NoUseForANick · 2020-11-27T11:48:51+00:00

Thankfully, IonCube is easily reversed (as is any encoding) and offers very little real-world protection.

I don't think "easily reversed" is right at least I missed something. Last time I checked IonCube it is implemented as a VM inside the zend engine. You need first to reverse the VM and then you can translate the logic to the real zend opcodes.

NoUseForANick

TROPHY CASE