Feature #684

Egghunter Improvements

Added by David Rude about 2 years ago. Updated 4 months ago.

Status:Closed Start date:12/13/2009
Priority:Normal Due date:
Assignee:Joshua J. Drake % Done:

90%
Category:payloads
Target version:Metasploit 3.5.0
Resolution:fixed How To Use:
Release Note:

Description

Egghunter as is, is not very robust. It can fail in a few possible cases, if the randomized egg happens to occur twice in memory before the payload, and if there copies of the shellcode in memory which are mangled.

I suggest an egghunter which can take a hash and length value for the encoded shellcode. Then search memory for the eggs and read in length bytes of memory compute a hash and compare it to the stored hash. This should be possible in a small number of bytes depending upon the hashing algorithm.

Additionally, the ability to use seperate Encoders and BadChars for the egghunter would be useful. Currently I'm working on a vuln where I need my egghunter to be strictly encoded to alphanumeric and my payload only needs a less strict encoding. I patched the generate_egghunter() to pass in an egghunter set of BadChars. This patch does default to the standard payload badchars as normal. Now I just need to get encoding working separately.

egghunter.rb - patched version of generate_egghunter() to accept egg_badchars (1.2 kB) David Rude, 12/13/2009 08:58 am

egghunter.diff (1.7 kB) Peter Van Eeckhoutte, 10/12/2010 10:27 am

Related issues

related to Metasploit Framework - Feature #2989: Egghunter should use separate encoder invocation from pay... New 10/18/2010

Associated revisions

Revision 330281ea
Added by Joshua Drake over 1 year ago

see #684, adds checksum support, updates modules to use it, fixes some wfs_delay/WfsDelay issues

git-svn-id: file:///home/svn/framework3/trunk@10150 4d416f70-5f16-0410-b530-b9f4589650da

Revision c7fc3611
Added by Joshua Drake over 1 year ago

apply patch from Peter, see #684

git-svn-id: file:///home/svn/framework3/trunk@10657 4d416f70-5f16-0410-b530-b9f4589650da

History

#1
Updated by HD Moore about 2 years ago

  • Target version set to Metasploit 3.4.0

#2
Updated by Joshua J. Drake about 2 years ago

  • Assignee set to Joshua J. Drake

#3
Updated by Joshua J. Drake almost 2 years ago

  • Target version changed from Metasploit 3.4.0 to Metasploit 3.5.0

#4
Updated by Joshua J. Drake almost 2 years ago

Additionally, it would be nice if the EggHunter took hints for where to start searching ;) Sometimes you know a general location...

#5
Updated by Joshua J. Drake over 1 year ago

  • Category set to payloads
  • Status changed from New to Assigned

#6
Updated by Peter Van Eeckhoutte over 1 year ago

  • File egghunter.diff added
  • File egghunter.rb added

patch that will allow you to tell the hunter to use a given register as start location

Usage :

badchars = "" 
eggoptions =
{
    :startreg => "edx" 
}
hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions)

Code (based on revision 10651):

20a21
> # Startreg code added by corelanc0d3r
40a42,43
>                 startreg      = opts[:startreg]
>
44a48,56
>                 startstub = ''
>                 if startreg
>                     if startreg.downcase != 'edx'
>                         startstub = "\n\tmov edx,#{startreg}\n\tjmp next_addr" 
>                     else
>                         startstub = "\n\tjmp next_addr" 
>                     end
>                 end
>                 startstub << "\n\t" if startstub.length > 0
46a59
> #{startstub}
104a118,127
>                 startstub = ''
>                 if startreg
>                     if startreg.downcase != 'ecx'
>                         startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr" 
>                     else
>                         startstub = "\n\tjmp next_addr" 
>                     end
>                 end
>                 startstub << "\n\t" if startstub.length > 0
>
106a130
> #{startstub}

#7
Updated by Joshua J. Drake over 1 year ago

The patch is busted (missing first few lines), please use "svn diff" from the trunk directory and re-attach.

#8
Updated by Peter Van Eeckhoutte over 1 year ago

  • File egghunter.diff added

#9
Updated by Peter Van Eeckhoutte over 1 year ago

diff file, created from trunk root

#10
Updated by Joshua J. Drake over 1 year ago

  • File deleted (egghunter.diff)

#11
Updated by Joshua J. Drake over 1 year ago

  • File deleted (egghunter.rb)

#12
Updated by Joshua J. Drake over 1 year ago

  • File deleted (egghunter.diff)

#13
Updated by Joshua J. Drake over 1 year ago

This ticket is still waiting on an implementation of separate encoding for the hunter stub itself.

#14
Updated by Joshua J. Drake over 1 year ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 90
  • Resolution set to fixed

Closing since most of it has been addressed, the remaining bits (separate encoder invocation) has been moved to #2989.

#15
Updated by Jonathan Cran about 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF