2

Background

An Egghunter is basically a low size stub that acts as a first stage in a 2 stage exploitation attempt (whereas second stage is usually the malicious payload shellcode). In the first stage, the stub will search through the process VAS (Virtual Address Space) for the second stage payload that is input/injected elsewhere of the same process memory. Once found, transfer control to the second stage of the exploitation.

In an x86 system, the VAS is of size 4294967296 bytes or around 4Gb. It is relatively easier to scan through the entire process VAS of size 4Gb.

Now in an x86_64 system the VAS size is up to 16.8 million Tb (Terabytes). Finding an egg within such memory is indeed trying to find a needle in a haystack.

Question:

Does this make the egghunter exploitation technique irrelevant in an x86_64 system? Because it can be proved to be very difficult to find the egg label and execute the payload without actually knowing the exact real time location of the injected egg + payload

Difficulties such as:

  1. searching through that much memory could take days/weeks
  2. UB when system calls are repeated for [millions x (Tb)] iterations
  3. Segfault when #2 occurs

So does an egghunter attack still make sense in a real attack on a 64 bit system, at least without knowing the exact location in memory of the injected second stage payload?

pri
  • 4,438
  • 24
  • 31
0x5929
  • 335
  • 4
  • 13

1 Answers1

1

It can make sense, but you have to rely on luck. So simply put, it can work but it's not really reliable. You don't have to search through the whole adress space, as only the user-space is relevant (47 bits). If you want an in-depth explanation, this article experiments with this attack on a 64bit system. https://pentesterslife.blog/2017/11/24/x64-egg-hunting-in-linux-systems/

  • Yeah I’ve read that blog along with skapes paper. and that’s why a lot of examples on the web uses the register RDX (which contains the address to the first stage egghunter) to start scanning. But how would one emulate that in a real attack, doesn’t makes sense unless attacker uses reverse engineering analysis on the vulnerable program. My solution to the problem is to either scan from 0x0 or scan from the top of stack downwards. 47bits is still 1.41e14 bytes to scan, and hence the question, would this even be a viable attack option for a potential hacker trying to penetrate a 64 bit system. – 0x5929 Oct 22 '18 at 23:27
  • `Bottom line: you’ll have to count on some persistence and a lot of luck for this to work in a real x64 system scenario.` It indeed doesn't work like that in a real-life scenario, because you have less control over the system most likely. That's why you have to rely on luck / external factors that might expose information regarding the location. Kinda depends what you define as "viable". Can it work? Yes. Should it be regularly used in pentesting? Most likely no. More of a "fun thing" to do rather than an actual solid attack to be honest. –  Oct 22 '18 at 23:29
  • So from a security prevention point of view, would an egghunter two stage shellcode exploitation be one of things that can happen in real life? – 0x5929 Oct 22 '18 at 23:42
  • 1
    It can definitely happen if someone is persistent enough. I wouldn't bet my cards on any attacker chosing this option over another though. Why use an attack vector that largerly relies on luck when there are a dozen better options? Either the attacker enjoys pulling it off or he exhausted his options. –  Oct 22 '18 at 23:44