SLAE 32 – Assignment 3

Assignment 3 – x86 Linux Egghunter

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1112

This is the third from seven assignments in order to complete the SLAE (32bit) certification.

The subject for this Assignment is Egghunters. During my study for this Assignment, I’ve read a lot of posts referencing Skape’s paper “Safely Searching Process Virtual Address Space”. This paper provides a really good explanation on Egghunters and also explains some code implementations. I really recommend it.

What’s an Egghunter?

An Egghunter is a very short shellcode which has the objective of locating a longer shellcode somewhere else in memory and jump execution to  it. The Egghunter implementation is very useful in situations where the buffer space is limited but it is possible to plant a longer shellcode somewhere else in memory.
In these situations the smaller shellcode’s (Egghunter) job is to look for a pattern in memory and then jump to that location (egg).

Egg Hunter Implementation

The three example implementations presented by Skape are based on the system call technique exclusively in order to safely traverse the process’s Virtual Address Space (VAS) without dereferencing the invalid memory regions that are strewn in the process’s memory.

When a system call encounters an invalid memory address it will return the EFAULT error code indicating that it is pointing outside of the accessible address space.

This means the egg hunter can search for the egg in a crash-free manner, since it is capable of searching through memory regions that are invalid.

The following shellcode is a mix of the first two implementations from Skape’s paper, using the access() syscall with some tweeks:

1.png

In short, the egghunter iterates over page aligned address blocks and tries to access them using the access syscall. Everytime an accessible memory block is found, it is compared with the egg signature 0x90509050.

By initializing edi to the pointer value that is currently in edx, the scasd instruction can be used to compare the contents of the memory stored in edi to the dword value that is currently in eax (the egg). Also, scasd increments edi by four after each comparison.  With this, after finding a match edi, will be pointing to the beginning of the Shellcode and then we can perform a jump to edi.

In order to test the Egghunter implementation the following PoC code was used:

poc

The Shellcode that follows the egg is the Reverse Shell from Assignment 2.

The PoC compilation needs the following options:

  • gcc prog.c -o prog -fno-stack-protector -z execstack

After executing the code, the Egghunter is executed and starts searching the memory for the Egg signature. Once found, the code execution is transfered to the Shellcode:

final

The code for this assignment can be found on my SLAE Github repository repository.

Advertisements