Description: A lot of times we download shellcode from sites like http://shell-storm.org and http://exploit-db.com but have no clue what that do. We believe what the shellcode description says and we are happy to run it. Would you trust a hacker? :) In this video, we look at the first step on how to systematically run and analyze shellcode.
In course of this video, we will discover that the shellcode in question uses a JMP-CALL-POP technique and uses XOR encoding to hide the real shellcode. We then move on to find the two syscalls it makes setreuid and execve. Upon analysis of the arguments of the syscall, we figure out that the shellcode after decoding itself, runs "/bin/ksh"
Link to Shellcode: http://www.shell-storm.org/shellcode/files/shellcode-809.php
Shellcode Author: https://twitter.com/@egeektronic
Latest from the SecurityTube Blog: