Introduction to Windows User Mode Exploitation pt. 5

EGGHUNTERS

KSTET

So far we know the drill ... crash the application, threw 250 bytes or so at it : we can do better by analyzing the disassembled code above, we can see it first compares a 6byte header "`KSTET `" and then only copies 100bytes of our input, that will be later passed to `_Function2`

Looking at `_Function2` it seems it can only handle 72 bytes, meaning we can crash this, lets find the offset but first we check if we can crash it by randomly sending anything more than 100 i sent 253

We proceed with looking for the offset to control the `EIP`

so offset is at 70, we try it out and this is the result:

and we are spot on :

Sadly we do not have enough space for a shell code , seeing we have very limited space , barely 20 bytes :

we can use the 20 bytes to create a short jump to our 70 sized buffer but still that isn't enough, hence enters : `EggHunters` : this a first time shellcode that we can search (for an egg) a unique code that prepends in the shellcode that we can search for in memory (VAS : Virtual Address Space)) they also need to be robust and handle access violations, also fast and small to avoid the application from hanging.

So we can : send our shellcode 300-400 bytes or so using a different command e.g. `GDOG` (which takes up 1024 (0x400h) bytes as shown below)

We can then use the egghunter to look for the shellcode sent from KSTET : lets get to work.

I will be using [this](https://github.com/ke0z/VulnServer/blob/main/EggHunterGenerator.py) script to generate the egghunter code:

We need a `JMP ESP `to jump to our `ESP `containing our `JMP - 70` (which gets us back to our limited (offset) sized buffer where we will store our egghunter shellcode)

We can put a breakpoint on our `JMP ESP` to follow the progress, and to create our `JMP - 70` we use python as shown below.

Seen below on WinDBG :

we step through the code:

checking what we have on `ESP` is our `JMP - 70` i.e `\xeb\xba\x90\x90` this instruction will help us jump to the pushed arguments 'offset' holds where we will place our egghunter

On my script i did make a mistake adding an extra nopsled (not that it affects it as much but we didn't need to jump that far (70 bytes))

We arrive on to our egghunter (that has 10 NOPs) and starts with `or dx, 0FFFh` , this will search for our `w00tw00t` pattern.

We move to sending our `GDOG ` based data that can handle 1024 bytes, and test by sending 300 C's (`\x43`)

We send this just before we send our `KSTET` based data. After we send it, we need to manually search for it to confirm if the data (shellcode) is indeed available.

We can then move to creating our shellcode and trying to exploit the program :

And we managed to pop calc.

We will be looking at EggHunters with SEH support next. Thank you for hanging around. Onwards to Part 6 :) , exploit script shared [here](https://github.com/ke0z/VulnServer/blob/main/VulnServer_EggHunter_BufferOverFlow%20No%20ASLR.py).

Search This Blog

ke0z