SLAE ASSIGNMENT 3 | EggHunter SHELLCODE - LINUX X86

April 18, 2020   assembly , egghunter shellcode , pentester academy , security tube , shellcoding , SLAE , SLAE x86

This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE - 1342

Hello Shellcoders,
It has been a week since I wrote my last article. Yesterday, I got a chance to work on my SLAE assignments again, if you haven’t seen my Assignment 2 blog post on Shell Reverse TCP x86 shellcode, then you can check it [Here]. Today in this post we will be discussing the EggHunter x86 Shellcode which is the third assignment for the SLAE exam.
So the requirement is:

• Create an egghunter shellcode 
• Should Be Configurable for different payloads. 

So first, let’s see what Corelen has to say about EggHunter, 

It is a small amount of custom shellcode to find your actual (bigger) shellcode (the “egg”) by searching for the final shellcode in memory.  In other words, first, a small amount of code is executed, which then tries to find the real shellcode and executes it.

Pretty easy, huh? If you still have any doubt, then please feel free to ping me on twitter [@Pwsecspirit]

Let's start by viewing the pseudo code for the egghunter shellcode to get an idea for implementation in assembly x86.

fun egg(addr)
{
if (value(addr) == <*egg>)
      jump_to(addr)
else
     egg(addr+1)
}

It gives us a rough idea about what we need to do. Also, I read a ton of blog posts to understand a lot of things and a great paper on egghunting by Skape. Hence I got the basic idea of what we need to do.
So in Skape's paper, he talked about 3 methods -> Well sure there are other methods also to make the egghunting shellcode. But for starters, it might be a great place to start. Anyways, in my assignment, I will be using the 3rd method i.e using sigaction systemcall.

Alright so these are the syscalls that we need to use, but how would we be able to call them? Well for that we will need sigaction().

Now in my first shellcoding post I read the value from “unistd_32.h” itself, but now I use sysref tool by one of my friends @berkcgoksel. Go try it if you know which syscall you want to look for.

Okay so " sys_sigactionl " is at numbe 67, in hex it's value would be 0x43.
Well, we need to look for the value for EFAULT error also, Which is basically just a “Bad address.”

Okay, we will be needing -14 for EFAULT values. You might be wondering why I said -14, when 14 is written over there. Well, the standard errno is a positive number but Linux kernel uses the negative values. Now let's begin with the assembly code.

Your assembly must have _start (It could be any name) in the code so it will understand that the code will begin from that point. Now start writing in the _start section:

This simple instruction will jump to next_addr

Well, here in this piece of code we will be increasing the ECX value by one and calling sys_sigaction syscall to get the next address. Also, everything is explained in the comment, let me clear some stuff. In assembly we use " ; " semicolon to comment something.
Also who are new then here is a cheat sheet for you.

• EAX- System call number 
• EBX- First argument 
• ECX- Second argument 
• EDX- Third argument 
• ESI- Forth argument 
• EDI- Fifth argument

In the end, when everything is done we use " int 0x80 " to interrupt the call. In normal language it's like calling the kernel, giving them all register values and using those values the kernel will get the work done for us. Ez Pz? Moving ahead.

So as you can see my linux page size is 4096 bytes which is 4.096 kb.

We will be doing the bitwise or operation on the current ecx register. Well 0x0fff is nothing but the 4095. After this again the next_addr will run and then the same check_if_efault. Till we get the value where zero flag won’t be set once we find it then we will go inside check_if_egg, 

So inside check_if_egg our cute little egg will be defined. So we will be moving the egg value in eax , after it we will be moving the current value that ecx holds inside edi, which is generally the address pointer. Because  “scasd” instruction checks if the EAX == EDI , if not equals then we will check the next address. We will do it till we get the same address and when it will find the address we will jump to EDI, which currently holds the address to our bind/reverse/execve shellcode (Any shellcode we wanna jump to).

I will be using my Bind Shell from assignment 1.

In the 1st pane I've just compiled my C code and ran the executable.
In pane 2 , I'm just showing my IP address.
In pane 3,  I'm just showing using netstat command that the port 1337 is opened and is in LISTINING state.
In pane 4, I've used the nc command which is short for netcat. I used it to to connect to the Ubuntu box where port 1337 is listening.

Thanks,