by

Egg Hunter for The Win | Linux x86

Introduction

What is egg hunter? and why on earth would you need it? This post will answer these questions and discuss access() syscall, which will be a vital part of our shellcode. The post will then conclude by demoing a working egg hunter shellcode. Please note all of the work here is based off of Skape’s paper.

Egg Hunting

Egg hunting is a technique used to search Virtual Address Space (VAS) for pattern referred to by Egg that usually marks the start of our desired payload. Now you would probably be asking what if we hit an unallocated memory while searching for that pattern? Well, the answer is the process will SIGSEGV leading to a crash! To prevent this kind of behavior we will abuse access() syscall to hunt for our egg without crashing (more on that later). A good example of egg hunter use case is buffer overflow exploit with limited buffer size that won’t allow for large payloads such as bind or reverse shell, so we use egg hunter as stager to capture and execute payload of our chosen.

access()

access() syscall is used to check what permissions the calling process has to a file referred to by pathname, and it consist of two arguments as shown below

Two reasons you’d want to use access() syscall, the first being it doesn’t have lots of arguments thus less registers to initialize, which translate to smaller size. The second reason is we’re looking for function that doesn’t write to the pointer, cause that will defeat the purpose. We’ll use pathname pointer to preform address validation by observing the ZF flag, when the pointer hits unallocated memory it will return EFAULT, meaning hey this memory page is bad try the next one. Let’s identify access() ID “EAX”

Also its worth noting that we’ll need to repeat our egg twice (8 bytes) to avoid collision of egg hunter with itself, so the egg hunter will have to have two matches before it jumps to payload.

Final Shellcode

Now that we know what egg hunter and access() does, let’s write egg hunter code and then test it!

Let’s compile and dump shellcode!

Here’s the final egg hunter shellcode coupled with “/bin/dash” from exploit-db

Demo time!

Closing Thoughts

I don’t know about you but I find egg hunter method really fascinating and I’m glad I learned how to write my own! Thank you Skape for your awesome work! Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel . All of the code is available on on my github as shown in the link below.

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:    SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%203

Leave a Reply

Your email address will not be published. Required fields are marked *