Egghunter

[mmiller at hick.org (mmiller at hick.org)]

On Mon, Dec 18, 2006 at 03:17:10PM -0500, Krpata, Tyler wrote:
> Hi all,
>
> Hope I'm not spamming the list too much with questions... I'm trying to
> figure out how to properly use the Egghunter class. It looks like
> generate_egghunter returns 2 items, the "tag" used to identify the
> actual payload, and the code that does the hunting. As far as I can
> tell, the steps are: 
> 1. prepend the tag to my encoded payload
> 2. send the tag+encoded payload to target's memory
> 3. send the egghunter code to be executed 
> 4. egghunter code searches process address space for tag
> 5. if found, encoded payload is executed

This order of events is correct.  One thing that isn't very clear is
that, as it's implemented right now, you actually need to prepend the
egg twice.  This is because the egghunter searches for two instances of the
egg appearing back to back.  This is done for a few different reasons
(such as to prevent the egghunter from accidentally finding itself).
I'm guessing this is the problem you're currently having.

Hindsight being 20/20, I think it would have been better to simply have
the egghunter class return the egg + egg rather than a single one.  I'll
look into trying to improve the interface so that there's less
confusion.

If you want an example of an exploit that uses the egghunter class, take
a look at:

modules/exploits/windows/browser/ms03_020_ie_objecttype.rb