Metasploit mailing list archives
Egghunter
From: mmiller at hick.org (mmiller at hick.org)
Date: Mon, 18 Dec 2006 14:40:58 -0800
On Mon, Dec 18, 2006 at 03:17:10PM -0500, Krpata, Tyler wrote:
Hi all, Hope I'm not spamming the list too much with questions... I'm trying to figure out how to properly use the Egghunter class. It looks like generate_egghunter returns 2 items, the "tag" used to identify the actual payload, and the code that does the hunting. As far as I can tell, the steps are: 1. prepend the tag to my encoded payload 2. send the tag+encoded payload to target's memory 3. send the egghunter code to be executed 4. egghunter code searches process address space for tag 5. if found, encoded payload is executed
This order of events is correct. One thing that isn't very clear is that, as it's implemented right now, you actually need to prepend the egg twice. This is because the egghunter searches for two instances of the egg appearing back to back. This is done for a few different reasons (such as to prevent the egghunter from accidentally finding itself). I'm guessing this is the problem you're currently having. Hindsight being 20/20, I think it would have been better to simply have the egghunter class return the egg + egg rather than a single one. I'll look into trying to improve the interface so that there's less confusion. If you want an example of an exploit that uses the egghunter class, take a look at: modules/exploits/windows/browser/ms03_020_ie_objecttype.rb