2009
12.11

Looking at EggHunters…

Buffer overflows can be a daunting part of exploitation, almost esoteric in nature if you don’t have an idea of what’s going on in the back ground. A little while ago I posted an exercise for Easy Chat Server with a proof of concept. If you successfully accomplished the task, you may like this little entry: Egghunters.

An egghunter is a bit of code that, once executed, will search the memory for a specific string called “the egg”. Once it’s found the egg, your shellcode is then executed. Well so far it doesn’t seem to complicated does it?

So why would you want this solution to exploit a buffer overflow vulnerability? Well, once you’ve overwritten EIP and jump to your buffer where the shellcode would go. What would happen if you only had about 50 bytes of usable space? This would be a nice example of when an egghunter would be used.

The egghunter itself is about 32 bytes, the egg is 4 bytes (times 2) and then you have your shellcode. When you send your “evil buffer”, the egghunter is placed in the part of memory you overwrite. The shellcode is stuffed somewhere else, its location unknown to us. Once EIP is pointed to your buffer space, the hunter is executed and then searches the memory for your shellcode. To put it roughly, it would look like this: offset + egghunter + egg + shellcode.
As long as the egghunter fits the buffer space EIP is sending you, you’re in business.

Here’s a nice example of code using the egghunter method. It was coded by Dr_IDE (an OSCP graduate) and dookie2000ca (star quarter-back for the Edmonton Roughriders back in ’86). It’s well coded and very easy to read.
Eureka Mail BoF SEH

So let’s try and break down the above exploit shall we?
First we have the egghunter. Notice the commented part “This is the egg: w00t”
egghunter = (“\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8″
“\x77\x30\x30\x74″ # this is the egg: w00t
“\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7″)

The hunter is setup to look for the string “w00t” in memory. It loops though and compares the value to “\x77\x30\x30\x74″. It will loop until it finds the egg, break out of the loop and execute the shellcode found directly after it.

The next few parts of the file is pretty standard stuff. Return address, short jumps and nop slide… Won’t go into that, but let me direct your attention to the last part. Where the buffer is built:
sploit = (“-ERR ” + buff + retn + egghunter + nops + junk + “w00tw00t” + bindshell);
As you can see, we have our egg there. The hunter will look for 2 instances of the string “w00t” in a row, and execute the code following it.

There is one down side to using the egghunter method. It’s CPU intensive. Once the egghunter is execute it will go through the roof, and reach 100%. On the other hand, you’ll be able to send almost any sized payload.
Here’s a very interesting video showing an egghunter. It’s from Offensive-Security’s video vault.
HP NNM from Bug to 0day

I’ll try and post a video on kioptix.com showing the egghunter in action. The above video is very clear in explaining, but the video quality can be lacking at times (but not very).

EDIT:
skape’s original paper on egghunters
Link to a video of an Egghunter in action here