Class: Rex::Exploitation::Egghunter
- Inherits:
-
Object
- Object
- Rex::Exploitation::Egghunter
- Defined in:
- lib/rex/exploitation/egghunter.rb
Overview
This class provides an interface to generating egghunters. Egghunters are used to search process address space for a known byte sequence. This is useful in situations where there is limited room for a payload when an overflow occurs, but it’s possible to stick a larger payload somewhere else in memory that may not be directly predictable.
Original implementation by skape (See www.hick.org/code/skape/papers/egghunt-shellcode.pdf)
Checksum checking implemented by dijital1/corelanc0d3r Checksum code merged to Egghunter by jduck Conversion to use Metasm by jduck Startreg code added by corelanc0d3r
Defined Under Namespace
Modules: Linux, Windows Classes: UnitTest
Instance Method Summary collapse
-
#generate(payload, badchars = '', opts = {}) ⇒ Object
This method generates an egghunter using the derived hunter stub.
-
#initialize(platform, arch = nil) ⇒ Egghunter
constructor
Creates a new egghunter instance and acquires the sub-class that should be used for generating the stub based on the supplied platform and architecture.
Constructor Details
#initialize(platform, arch = nil) ⇒ Egghunter
Creates a new egghunter instance and acquires the sub-class that should be used for generating the stub based on the supplied platform and architecture.
181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 |
# File 'lib/rex/exploitation/egghunter.rb', line 181 def initialize(platform, arch = nil) Egghunter.constants.each { |c| mod = self.class.const_get(c) next if ((!mod.kind_of?(::Module)) or (!mod.const_defined?('Alias'))) if (platform =~ /#{mod.const_get('Alias')}/i) self.extend(mod) if (arch and mod) mod.constants.each { |a| amod = mod.const_get(a) next if ((!amod.kind_of?(::Module)) or (!amod.const_defined?('Alias'))) if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i) amod = mod.const_get(a) self.extend(amod) end } end end } end |
Instance Method Details
#generate(payload, badchars = '', opts = {}) ⇒ Object
This method generates an egghunter using the derived hunter stub.
212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 |
# File 'lib/rex/exploitation/egghunter.rb', line 212 def generate(payload, badchars = '', opts = {}) # set defaults if options are missing # NOTE: there is no guarantee this won't exist in memory, even when doubled. # To address this, use the checksum feature :) opts[:eggtag] ||= Rex::Text.rand_text(4, badchars) # Generate the hunter_stub portion return nil if ((hunter = hunter_stub(payload, badchars, opts)) == nil) # Generate the marker bits to be prefixed to the real payload egg = '' egg << opts[:eggtag] * 2 egg << payload if opts[:checksum] cksum = 0 payload.each_byte { |b| cksum += b } egg << [cksum & 0xff].pack('C') end return [ hunter, egg ] end |