SLAE32 - Assignment 3

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https://www.pentesteracademy.com/course?id=3

Student ID: PA-15072

All associated code can be found here: https://github.com/pAP3R/public/tree/master/SLAE32/assignments

Egghunters! Woooo!

I love egghunters, I think they're super cool.

There's a lot of information out there on the web about egghunters, and some really good papers too (e.g. Skape). If you're totally unfamiliar and just want the tldr, here's the gist of it:

Let's say you are testing some sort of server application, maybe it's an FTP app. The application has a couple different commands that accept some input, but when you send certain data to one of the commands, the application crashes in a way that allows you to control the flow of execution. "Hooray!" you might be thinking, "Now I can send my payload!"

To your dismay, after sending payload after payload you find you can only fit a measly 40 bytes in memory through this vulnerable command, womp womp. Earlier while fuzzing, you noticed you could send arbitrarily large amounts of bytes in the other commands though, then send your payload and take control of execution. There's a high probability the other thousand \x41's you sent right before invoking the crash are hanging out in memory, though... but where? Will that even matter?

This is where an egghunter comes in. An egghunter acts as a small piece of code which searches through arbitrary memory locations for a specific, unique string we define, known as an egg. Once it locates the egg, a good egghunter will check the bytes following the intial egg for another egg. If it doesn't find the egg twice, it continues to search memory, looking for the two eggs in a row. Assuming we prepend our shellcode with our egg, if the egghunter locates two eggs, which again, are expected to be unique values, then it returns the location it found.

Now, since our shellcode is prepended with the two unique eggs, the egghunter has found our shellcode in memory, and we're free to jump to it and begin execution.

There are a few caveats though, as always. Some memory just isn't readable, meaning our application will error out, crash, whatever, if we try to read from it. Since the goal of our egghunter is to read the memory we need ways to handle those errors, meaning we acquire some sort of indicator that the memory isn't readable, then skip over those locations to memory that IS readable.

We do this in a few parts:
  1. Check for a bad memory location
  2. Increase our 'Page' size to skip that section
  3. Back to step 1 
This begs the question, how we check if the memory is readable without trying to read it, right? Super smart people have identified functions in operating systems which take very little input as functions (think: a memory address) and return a value. The functions we specifically try to use within egghunters tend to return values which we can easily infer are good or bad, e.g. a readable memory location mayreturn the location, or 0x00000000. Whereas a function we can abuse for this purpose will return an error when it encounters a bad address, such as 0xFFFFFFF2, or an 'EFAULT' error. The two most commonly used functions on linux systems appear to be:
I created two egghunters for this assignment, one for both of the above. Here's my access() egghunter:
global _start
section .text
_start:
        ; zero edx for kicks
        xor edx, edx

fix_page:
        ; This is a hacky fix for page sizes
        ; 0xfff is 4095, so we inc edx later on to avoid nulls
        ; page fix is only called if we need some gud gud memory
        or dx, 0xfff
egghunter:
        inc edx
        ; int access(const char *pathname, int mode)
        ; Give ebx an arbitrary address within the page
        lea ebx, [edx + 4]

        ; push, pop, syscall for access()
        push dword 0x21
        pop eax
        int 0x80

        ; compare access() return for errors
        ; fix the page and get to gud gud memory
        ; but only if we got bad memory (f2 = EFAULT) :[
        cmp al, 0xf2
        je fix_page

        ; if not, load our egg into eax
        mov eax, 0x41414141

        ; load the memory to scan into edi
        mov edi, edx

        ; Scan it, jump to egghunter if no match
        scasd
        jnz egghunter

        ; Do that again, just to be sure
        scasd
        jnz egghunter

        ; If we got here, it's valid!
        jmp edi
And that's the egghunter. It's 35 bytes, but it's mine! That's it for assignment three.

Popular posts from this blog

06 - How to maybe not be so bad at fuzzing, Part 2

Image
06 - Back to the Fuzzing, Part 2 This post will focus more on actual usage of different fuzzers, rather than part one which talked about fuzzing from a higher level.  I'll use the widely available  vulnserver.exe  as a target application for a bunch of examples, as there are a ton of posts out there that go over exploiting it.  I will also briefly talk about some typical fuzzing use-cases, such as HTTP requests, and how we may employ a fuzzer to assist in testing.  I'm not going to turn our crashes into exploits, that's outside of the scope of this post-- I'll just take a more in depth look at the available tools to expedite the process of locating bugs. Here's the agenda for tool usage: Python Sockets SPIKE boofuzz In part one I'll talk about some common ways to implement python sockets, such as raw sockets for a normal client / server model, fuzzing HTTP requests, and maybe a bit more if I don't get lazy half-way.  In part two I will apply
Read more

07 - Just Another OSCE Review

Image
CTP and the OSCE "The OSCE exam is really hard"                    - Everyone, probably As anyone who has attempted an OffSec certification knows, they're hard as nails.  I've taken the OSCP and now the OSCE, so I can attest to their difficulty.  I'm also not the type of person who can just "pass" these tests.  I took the OSCP multiple times, consistently overthinking the solutions to tasks that, once solved, were much simpler than I initially thought.  I also took the OSCE exam twice, with a month's separation between exams, so I'm no savant.   One of my coworkers inquired if I'd write a blog post about how I prepared, and how I went from OSCP to OSCE.  What I did, resources I used, etc.  As far as a prep guide goes, I think you'd be better off looking elsewhere.  This has a lot of info in it, but I'm not going to talk about what you should and shouldn't focus on to pass the test , that's not the point.  This p
Read more

02x01 - How to maybe not be as bad at fuzzing unknown binary protocols as you were before reading this

Image
Disclaimer:   I wrote this post a while ago, and definitely before I had enough knowledge to really share accurately.  Feel free to read on, but there's probably a lot of bad info in this. You're bad at fuzzing unknown binary protocols, huh? Yeah, well, me too.  In fact, I've only done it once, and I had an RFC to look at, so I guess it technically wasn't an 'unknown' protocol... and it was mostly a walkthrough. So, we'll go start to finish on this in a few posts, maybe. Pre-Requisites: Familiarity with debuggers, i.e. OllyDBG Immunity Familiarity with: Fuzzers (SPIKE, boofuzz, sulley, etc) scapy Python Wireshark Assembly (sorta) Stack Based Buffer Overflows SEH Exploits Virtual Machines Attacker  Kali? Windows? Whatever floats your boat. Victim x 2 Windows 7+ Note:  If you're using windows as the attacking machine, you don't need two victim machines. That's probably it? Okay, so this post is a work in pr
Read more