Backflip into the stack
During my OSCE journey I came across an interesting technique to jump backwards into the very beginning of the buffer injected on the vulnerable process.
The more reliable technique to jump back is to use an egghunter. You split your shellcode into stages: in the first stage you write an egghunter shellcode that searches into the memory for the second stage payload, that it is the code you want to executed prepended by your egg.
However, under some circumstances, you may want to execute a jump back into your shellcode.
This old but gold phrack article describes some very handy assembly code snippets when writing shellcode for Microsoft Windows.
Here you can find the idea about using FPU state saving instructions to have the EIP value to be written on the stack.
Executing a “fnstenv [esp]” instruction, the result on the stack is the following.
If we want to align the information about the EIP (0x08048082 in my case) to be found at the very beginning of the stack, we kindly ask FNSTENV to start writing 12 bytes before the $ESP value, that’s the reason of “fnstenv [esp-12]”.
We than pop the stack word into ECX storing the value the EIP register has when fnstenv it was called. Then, I choose to add 9 bytes to move ECX value to the instruction right after the NOP.
In order to execute a jump, we decrement CH register (the most significant 8 bits of the CX register, the 16 bits representation of ECX. This will subtract 256 on the whole ECX value, that means this technique allow us to jump backwards in steps of 256 bytes.
See the code in action on gdb.
Today I added those two shellcodes in shellerate project.
Please note again that using egghunter is more reliable but it can take some time in order to loop into victim memory searching for the payload. Anyway, this technique can be used if you’re pretty sure about the fixed amount of space you can backward skip, e.g. it can be safetly used in a SEH overwrite exploitation.