Friday, November 30, 2018

SLAE - Assignment 3 - Egghunter

  • Study about the Egg Hunter shellcode 
  • Create working demo of the Egghunter 
  • Should be configurable for different payloads


First step is to actually understand what an Egg Hunter is. Just with a little googling I discovered a paper detailing this on: http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf

three essential requirements are defined for an egg hunter to be successful:
1. It must be robust
2. It must be small
3. It should be fast


In essence this technique solves a problem when there is some space available for a buffer overflow, but not enough to house the full payload you desire.
The problem is solved using a staged approach:
Stage 1: Contains the instruction to search the memory for the egg. When the egg has been found control of the execution will be passed to the that second stage
Stage 2: Starts with 2 times the egg following the shellcode that contains the (bigger in size) payload.


The Skape paper describes 3 methods for a linux machine. For this assignment we will be using the one first one that uses the access(2) system call. Usage of this call for the egg hunter is explained by Skape:

" The reason this system call was selected was for two reasons. First, the system call had to have a pointer for just one argument, as multiple pointer arguments would require more register initialization, and thus violate requirement #2 regarding size. Secondly, the system call had to not attempt to write to the pointer supplied, as it could lead to bad things happening if the memory were indeed writable, which in all likelihood would be the case for the buffer that would hold the egg being searched for"
Lets look up the system call "access"

nelis@slae:~$ cat /usr/include/i386-linux-gnu/asm/unistd_32.h | grep access
#define __NR_access 33
(= 0x21 in hex)

man 2 access:
int access(const char *pathname, int mode);
Discover constants:
/usr/include/libr/sflib/common/sftypes.h

EFAULT = 14 (hex =F2 - no access to memory)


/usr/include/unistd.h:
F_OK = 0 

Using the template by Skape, the egg hunter is written:


Creating payload: I choose to use msfvenom for the creation of the payload. I could have used the created payload in assignment 2 as well, but for the of using a custom payload I left instructions on how to generate this shellcode in the shellcode.c file.


Which leads to the following C file:

Compile instruction: gcc -z execstack -fno-stack-protector shellcode.c -o shellcode

Run and capture reverse shell:

./shellcode


Other term:
nelis@slae:~/SLAE/assignment3$ nc -nlvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [127.0.0.1] port 4444 [tcp/*] accepted (family 2, sport 43353)
id
uid=1000(nelis) gid=1000(nelis) groups=1000(nelis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),107(lpadmin),124(sambashare)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)