Metasploit mailing list archives

Egghunter

From: tkrpata at bjs.com (Krpata, Tyler)
Date: Tue, 19 Dec 2006 11:30:27 -0500

Cool, that worked. Maybe the class could take an optional argument of
the payload you are hunting for/tagging. The class could return the
payload with the tag properly added, as well as the egghunter. If the
payload isn't included, the class would just return the egg it will be
searching for. 

One more thing that I can't quite seem to get working...once I have the
egghunter back, I need to take the additional step of encoding it to
unicode. I thought I could do something like:

payload = Rex::Encoder::Alpha2::UnicodeMixed.encode(hunter[0],"EBX",0)

but that doesn't seem to be working. Am I on the right track, or way
off?

-----Original Message-----
From: mmiller at hick.org [mailto:mmiller at hick.org]
Sent: Monday, December 18, 2006 5:41 PM
To: framework at metasploit.com
Subject: Re: [framework] Egghunter

On Mon, Dec 18, 2006 at 03:17:10PM -0500, Krpata, Tyler wrote:

Hi all,

Hope I'm not spamming the list too much with questions... I'm trying

to

figure out how to properly use the Egghunter class. It looks like
generate_egghunter returns 2 items, the "tag" used to identify the
actual payload, and the code that does the hunting. As far as I can
tell, the steps are:
1. prepend the tag to my encoded payload
2. send the tag+encoded payload to target's memory
3. send the egghunter code to be executed
4. egghunter code searches process address space for tag
5. if found, encoded payload is executed


This order of events is correct.  One thing that isn't very clear is
that, as it's implemented right now, you actually need to prepend the
egg twice.  This is because the egghunter searches for two instances

of

the
egg appearing back to back.  This is done for a few different reasons
(such as to prevent the egghunter from accidentally finding itself).
I'm guessing this is the problem you're currently having.

Hindsight being 20/20, I think it would have been better to simply

have

the egghunter class return the egg + egg rather than a single one.

I'll

look into trying to improve the interface so that there's less
confusion.

If you want an example of an exploit that uses the egghunter class,

take

a look at:

modules/exploits/windows/browser/ms03_020_ie_objecttype.rb

Current thread:

Egghunter Krpata, Tyler (Dec 18)
- Egghunter mmiller at hick.org (Dec 18)
- <Possible follow-ups>
- Egghunter Krpata, Tyler (Dec 19)