From 95eab85df44aa488930cfee107086a37a31b948f Mon Sep 17 00:00:00 2001 From: sgabe Date: Tue, 13 Jan 2015 21:31:13 +0100 Subject: [PATCH 1/4] Add support for heap-only search in regular egghunter --- lib/rex/exploitation/egghunter.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/rex/exploitation/egghunter.rb b/lib/rex/exploitation/egghunter.rb index 3155db3662..509837f334 100644 --- a/lib/rex/exploitation/egghunter.rb +++ b/lib/rex/exploitation/egghunter.rb @@ -23,6 +23,7 @@ module Exploitation # Startreg code added by corelanc0d3r # Added routine to disable DEP for discovered egg (for win, added by corelanc0d3r) # Added support for searchforward option (true or false) +# Added support for heap-only search option (true or false) # ### class Egghunter @@ -58,6 +59,11 @@ class Egghunter else startstub = "\n\tjmp next_addr" end + # search only in heap? + elsif opts[:heaponly] + startstub = "\n\tpush 0x30\n\tpop edx\n\tmov edx,fs:[edx]" + startstub << "\n\tadd dl,0x90\n\tmov edx,[edx]" + startstub << "\n\tmov edx,[edx]\n\tjmp next_addr" end startstub << "\n\t" if startstub.length > 0 From 3297d198f33f9c0692375e04b5c15ef14ef73b9e Mon Sep 17 00:00:00 2001 From: sgabe Date: Fri, 16 Jan 2015 22:16:30 +0100 Subject: [PATCH 2/4] Fix search-forward option in regular egghunter --- lib/rex/exploitation/egghunter.rb | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/lib/rex/exploitation/egghunter.rb b/lib/rex/exploitation/egghunter.rb index 509837f334..f842ca6941 100644 --- a/lib/rex/exploitation/egghunter.rb +++ b/lib/rex/exploitation/egghunter.rb @@ -23,7 +23,6 @@ module Exploitation # Startreg code added by corelanc0d3r # Added routine to disable DEP for discovered egg (for win, added by corelanc0d3r) # Added support for searchforward option (true or false) -# Added support for heap-only search option (true or false) # ### class Egghunter @@ -71,12 +70,10 @@ class Egghunter flippage = "\n\tor dx,0xfff" edxdirection = "\n\tinc edx" - if searchforward - if searchforward.to_s.downcase == 'false' - # go backwards - flippage = "\n\txor dl,dl" - edxdirection = "\n\tdec edx" - end + if searchforward == false + # go backwards + flippage = "\n\txor dl,dl" + edxdirection = "\n\tdec edx" end # other vars From 859a8978e7f2bdecdc53dc7bd3ce6989dfcc1a17 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 16 Jan 2015 19:33:19 -0600 Subject: [PATCH 3/4] Allow searchforward to be an string --- lib/rex/exploitation/egghunter.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/exploitation/egghunter.rb b/lib/rex/exploitation/egghunter.rb index f842ca6941..582365ef88 100644 --- a/lib/rex/exploitation/egghunter.rb +++ b/lib/rex/exploitation/egghunter.rb @@ -70,7 +70,7 @@ class Egghunter flippage = "\n\tor dx,0xfff" edxdirection = "\n\tinc edx" - if searchforward == false + if searchforward.to_s.downcase == 'false' # go backwards flippage = "\n\txor dl,dl" edxdirection = "\n\tdec edx" From a42b0954723ee08d4c78769430e3e0a70e4f2d2f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 16 Jan 2015 19:35:57 -0600 Subject: [PATCH 4/4] Delete heaponly option --- lib/rex/exploitation/egghunter.rb | 5 ----- 1 file changed, 5 deletions(-) diff --git a/lib/rex/exploitation/egghunter.rb b/lib/rex/exploitation/egghunter.rb index 582365ef88..079250b6bd 100644 --- a/lib/rex/exploitation/egghunter.rb +++ b/lib/rex/exploitation/egghunter.rb @@ -58,11 +58,6 @@ class Egghunter else startstub = "\n\tjmp next_addr" end - # search only in heap? - elsif opts[:heaponly] - startstub = "\n\tpush 0x30\n\tpop edx\n\tmov edx,fs:[edx]" - startstub << "\n\tadd dl,0x90\n\tmov edx,[edx]" - startstub << "\n\tmov edx,[edx]\n\tjmp next_addr" end startstub << "\n\t" if startstub.length > 0