SLAE Assignment #3 | x86 EggHunting

9. Oktober 2017

Ready for the next level? – Method to exploit software even with small space for shellcode: EggHunting

The third task was: Build an eggHunter-shellcode and a PoC to check functionality. After some googling i found a very interesting paper, which explains eggHunting in general and shows 6 implementations (3x Linux/ 3x Windows).
I choosed the sigaction method, which is smaller, faster and robuster than the other two ones. The code is searching through the memory until it identifies my Egg (two times behind each other: 0x50905090) and then jumps to the position of my evilPayload.

To check the functionality of my eggHunter, i wrote a little c-programm, which copies some shellcode into memory. First the shellcode for my payload and two EGGs are copied into memory. After that the eggHunter-shellcode is loaded and executed.

I this case i use a simple helloWordPayload:

It work’s!

 

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1036

Sie sehen gerade einen Platzhalterinhalt von Facebook. Um auf den eigentlichen Inhalt zuzugreifen, klicken Sie auf die Schaltfläche unten. Bitte beachten Sie, dass dabei Daten an Drittanbieter weitergegeben werden.

Mehr Informationen

Ähnliche Beiträge

After gaining my OSCP in June i decided to go deeper into exploitDev and shellcoding. And here we are, this [...]

9. Oktober 2017

Welcome back to my second post for the SLAE certification. Today we are going to build a reverse_shell shellcode and [...]

9. Oktober 2017

Hey ho, it’s time for some low-level shellcode encoding. After going through the encoder examples of the SLAE material i [...]

9. Oktober 2017

Got time to read? This tasks was a bigger one. We have to pick 3 random metasploit payloads and analyze [...]

9. Oktober 2017