Metasploit mailing list archives
Egghunter
From: tkrpata at bjs.com (Krpata, Tyler)
Date: Tue, 19 Dec 2006 11:30:27 -0500
Cool, that worked. Maybe the class could take an optional argument of the payload you are hunting for/tagging. The class could return the payload with the tag properly added, as well as the egghunter. If the payload isn't included, the class would just return the egg it will be searching for. One more thing that I can't quite seem to get working...once I have the egghunter back, I need to take the additional step of encoding it to unicode. I thought I could do something like: payload = Rex::Encoder::Alpha2::UnicodeMixed.encode(hunter[0],"EBX",0) but that doesn't seem to be working. Am I on the right track, or way off?
-----Original Message----- From: mmiller at hick.org [mailto:mmiller at hick.org] Sent: Monday, December 18, 2006 5:41 PM To: framework at metasploit.com Subject: Re: [framework] Egghunter On Mon, Dec 18, 2006 at 03:17:10PM -0500, Krpata, Tyler wrote:Hi all, Hope I'm not spamming the list too much with questions... I'm trying
to
figure out how to properly use the Egghunter class. It looks like generate_egghunter returns 2 items, the "tag" used to identify the actual payload, and the code that does the hunting. As far as I can tell, the steps are: 1. prepend the tag to my encoded payload 2. send the tag+encoded payload to target's memory 3. send the egghunter code to be executed 4. egghunter code searches process address space for tag 5. if found, encoded payload is executedThis order of events is correct. One thing that isn't very clear is that, as it's implemented right now, you actually need to prepend the egg twice. This is because the egghunter searches for two instances
of
the egg appearing back to back. This is done for a few different reasons (such as to prevent the egghunter from accidentally finding itself). I'm guessing this is the problem you're currently having. Hindsight being 20/20, I think it would have been better to simply
have
the egghunter class return the egg + egg rather than a single one.
I'll
look into trying to improve the interface so that there's less confusion. If you want an example of an exploit that uses the egghunter class,
take
a look at: modules/exploits/windows/browser/ms03_020_ie_objecttype.rb