Egghunting

!mona egg => "w00tw00t"

Idea

If we encounter a small buffer that does not have enough space to hold our shellcode (msfvenom shellcode is usually longer than 200 bytes), egghunting would help us get around this limittation.

Egghunter

An egghunter is a piece of shellcode (around 40-byte) that hunts for the egg (the real shellcode) within the entire address space. The egg has a special marker (or tag) at the very beginning. By default, this marker is w00tw00t. Why not just w00t? The repeated string (w00tw00t) is meant to ensure extra safety, just in case there are some random bytes in the memory that form the pattern w00t by accident. Obviously, having w00tw00t by accident is a lot harder than w00t.

Summary

  1. Interact with the application and write a script to verify the existence of stack overflow.

  2. Fuzz the application using pattern and find the offset.

  3. Find a JMP ESP gadget from a library without protection.

  4. Find all badchars.

  5. Generate an egghunter using mona.

  6. Generate shellcode using msfvenom.

  7. Get shell or pop calc.

Payload

payload = ""
payload += nop_sled
payload += shellcode
payload += another_nop_sled
payload += "A" * (offset - len(payload))
payload += <jmp_esp> # EIP => jmp esp
payload += egghunter
payload += padding

Reference

  1. Egg Hunters -- FuzzySecurity

PreviousSEHNextUnicode

Last updated