There's little point in re-writing what was written in skapes paper however it can be summarized as follows. For the linux platform there are basically 3 ways of leveraging the egg hunter technique.
The first being using the access syscall where the egg is loaded into the EBX register since the access function takes in a pointer to the pathname as the first arguement. The value in EBX is then compared to the contents of the pointer in the EDX register. The EDX register is used to iterate through the addresses in the current page in memory. If they values dont match, it continues ina loop and increments the EDX. If the egg is found, implementation jumps to the EDX where the second stage of the payload is and begins execution.
The second way is some what similar to what we've just explained above since it also leverages the access syscall. The major difference comes in the fact that while the previous method didnt check for validity of the addresses, this one first checks for the validity of the address only after a valid address has been determined does it start doing the comparisons. Another difference in terms of the functionality is that the egg is stored in the EAX register and compared to the EDI (contents of memory stored here) using the native scasd instruction.
The final implementation is different from the previous ones in terms of speed and size in that its faster and smaller and leverages the sigaction syscall. The reason for its speed stems from the fact that while using the sigaction function, its able to search multiple addresses at a time. The logic behind this fact is that incrementing by PAGE_SIZE allows for quicker searching through invalid memory regions. This is the most common implementation of the egg hunter due to its relatively smaller size of 30bytes compared to the previous two which are 38 and 35 bytes respectively. The other advantage it has is that its search time is also lower than the previous two since it searches multiple pages at a time. Below is the egghunter code.
We can assemble and link the above nasm code using this simple compile.sh script. When using the script, drop the .nasm at the end of the filename for example if you've named the egghunter.nasm, when compiling with compile.sh, just do "./compile.sh egghunter" Next we use objdump to check for nulls since we know nulls in most cases kill shellcode. We run "./objdump -d egghunter -M intel" You can use whatever syntax suits you mine is intel. The default syntax is AT&T. After establishing the absence of nulls we then extract the shellcode using this code from commandlinefu. This gives us the following shellcode.
"\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8"
"\x90\x50\x90\x50"-----> Tag to hunt for
"\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7"
The code below the tags is a basic /bin/sh shellcode and can be substituted for any other shellcode.
"\x90\x50\x90\x50"----> EggHunter tags i.e. value to be searched for (If you decide to
"\x90\x50\x90\x50" change the tag be sure to change the tag in the egghunter code too)
"\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80".
We then go ahead and paste the shellcode into the c program below to test our shellcode. Compile the shellcode.c with the syntax "gcc -fno-stack-protector -z execstack shellcode.c -o shellcode" then run shellcode "./shellcode".
No comments:
Post a Comment