Class: Rex::Exploitation::Egghunter
- Inherits:
-
Object
- Object
- Rex::Exploitation::Egghunter
- Defined in:
- lib/rex/exploitation/egghunter.rb
Overview
This class provides an interface to generating egghunters. Egghunters are used to search process address space for a known byte sequence. This is useful in situations where there is limited room for a payload when an overflow occurs, but it’s possible to stick a larger payload somewhere else in memory that may not be directly predictable.
Original implementation by skape (See www.hick.org/code/skape/papers/egghunt-shellcode.pdf)
Checksum checking implemented by dijital1/corelanc0d3r Checksum code merged to Egghunter by jduck Conversion to use Metasm by jduck Startreg code added by corelanc0d3r Added routine to disable DEP for discovered egg (for win, added by corelanc0d3r)
Defined Under Namespace
Modules: Linux, Windows Classes: UnitTest
Instance Method Summary collapse
-
#generate(payload, badchars = '', opts = {}) ⇒ Object
This method generates an egghunter using the derived hunter stub.
-
#initialize(platform, arch = nil) ⇒ Egghunter
constructor
Creates a new egghunter instance and acquires the sub-class that should be used for generating the stub based on the supplied platform and architecture.
Constructor Details
#initialize(platform, arch = nil) ⇒ Egghunter
Creates a new egghunter instance and acquires the sub-class that should be used for generating the stub based on the supplied platform and architecture.
316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 |
# File 'lib/rex/exploitation/egghunter.rb', line 316 def initialize(platform, arch = nil) Egghunter.constants.each { |c| mod = self.class.const_get(c) next if ((!mod.kind_of?(::Module)) or (!mod.const_defined?('Alias'))) if (platform =~ /#{mod.const_get('Alias')}/i) self.extend(mod) if (arch and mod) mod.constants.each { |a| amod = mod.const_get(a) next if ((!amod.kind_of?(::Module)) or (!amod.const_defined?('Alias'))) if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i) amod = mod.const_get(a) self.extend(amod) end } end end } end |
Instance Method Details
#generate(payload, badchars = '', opts = {}) ⇒ Object
This method generates an egghunter using the derived hunter stub.
347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 |
# File 'lib/rex/exploitation/egghunter.rb', line 347 def generate(payload, badchars = '', opts = {}) # set defaults if options are missing # NOTE: there is no guarantee this won't exist in memory, even when doubled. # To address this, use the checksum feature :) opts[:eggtag] ||= Rex::Text.rand_text(4, badchars) # Generate the hunter_stub portion return nil if ((hunter = hunter_stub(payload, badchars, opts)) == nil) # Generate the marker bits to be prefixed to the real payload egg = '' egg << opts[:eggtag] * 2 egg << payload if opts[:checksum] cksum = 0 payload.each_byte { |b| cksum += b } egg << [cksum & 0xff].pack('C') end return [ hunter, egg ] end |