Class: Rex::Exploitation::Egghunter

Inherits:

Object

• Object
• Rex::Exploitation::Egghunter

Defined in:

lib/rex/exploitation/egghunter.rb

Overview

This class provides an interface to generating egghunters. Egghunters are used to search process address space for a known byte sequence. This is useful in situations where there is limited room for a payload when an overflow occurs, but it’s possible to stick a larger payload somewhere else in memory that may not be directly predictable.

Original implementation by skape (See www.hick.org/code/skape/papers/egghunt-shellcode.pdf)

Checksum checking implemented by dijital1/corelanc0d3r Checksum code merged to Egghunter by jduck Conversion to use Metasm by jduck Startreg code added by corelanc0d3r Added routine to disable DEP for discovered egg (for win, added by corelanc0d3r) Added support for searchforward option (true or false)

Defined Under Namespace

Modules: Linux, Windows

Instance Method Summary

• #generate(payload, badchars = '', opts = {}) ⇒ Object

  This method generates an egghunter using the derived hunter stub.

• #initialize(platform, arch = nil) ⇒ Egghunter constructor

  Creates a new egghunter instance and acquires the sub-class that should be used for generating the stub based on the supplied platform and architecture.

Constructor Details

#initialize(platform, arch = nil) ⇒ Egghunter

Creates a new egghunter instance and acquires the sub-class that should be used for generating the stub based on the supplied platform and architecture.

# File 'lib/rex/exploitation/egghunter.rb', line 327

def initialize(platform, arch = nil)
  Egghunter.constants.each { |c|
    mod = self.class.const_get(c)

    next if ((!mod.kind_of?(::Module)) or
             (!mod.const_defined?('Alias')))

    if (platform =~ /#{mod.const_get('Alias')}/i)
      self.extend(mod)

      if (arch and mod)
        mod.constants.each { |a|
          amod = mod.const_get(a)

          next if ((!amod.kind_of?(::Module)) or
                   (!amod.const_defined?('Alias')))

          if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i)
            amod = mod.const_get(a)

            self.extend(amod)
          end
        }
      end
    end
  }
end

Instance Method Details

#generate(payload, badchars = '', opts = {}) ⇒ Object

This method generates an egghunter using the derived hunter stub.

# File 'lib/rex/exploitation/egghunter.rb', line 358

def generate(payload, badchars = '', opts = {})
  # set defaults if options are missing

  # NOTE: there is no guarantee this won't exist in memory, even when doubled.
  # To address this, use the checksum feature :)
  opts[:eggtag] ||= Rex::Text.rand_text(4, badchars)

  # Generate the hunter_stub portion
  return nil if ((hunter = hunter_stub(payload, badchars, opts)) == nil)

  # Generate the marker bits to be prefixed to the real payload
  egg = ''
  egg << opts[:eggtag] * 2
  egg << payload
  if opts[:checksum]
    cksum = 0
    payload.each_byte { |b|
      cksum += b
    }
    egg << [cksum & 0xff].pack('C')
  end

  return [ hunter, egg ]
end