Egg Hunting… but it’s not Easter season! - Mohamed Salah

Hi everyone, I am Muhammad Salah. I know this talk is like having a bit weird name but I will explain that in a second. Uh so yeah uh first of all I would like to introduce myself. I'm Mohamad Salah a principal security researcher at Oracle. Obviously I'm not the football player because like many of people like notice that. So yeah, uh I'm basically offensive security geek by day and I love to do some gaming per night. Uh I also like to play CTF when I have some time. So yeah, like why would someone hunt eggs in cyber security field? This is a bit weird. Yeah. So basically this is actually a term in binary exploitation

or exploit development field when we try to find something in the memory. So that's why we call it egg. So basically what we doing we have like a marker or a stub which is like four or eight bytes in the memory when we try to do the exploits and we basically do that when we have like a very limited space or like limit space restriction we call it like limited buffer size or space restriction. Uh so basically we need to to put like the the shell code anywhere in the memory and then try to find it. Also the browser exploitation guys using it and it's another techniques called heap spraying when you just like having

your exploit or your shell code which is like the shell code basically the the things that would be getting executed either it's traverse shell or uh from like copying file to to like having reverse shell and whatever. So yeah, basically like the he brain is having a memory full of nobisleds which is like x hex 90 and you try to find it with again this egg term or like you for sure you you will be having something called egg hunter to find it and last but not least and what we'll be discussing more in in this talk uh it will be about like by busing AV and ADR those multi-stage below finding your whole egg or all like shell

code at one point the ADR will be trying to uh find it and flag it instead of you will be like having some chunks uh and try to find it one by one and then concatated at the end and this is called like multi-stage build and that's how you can bypass EDRs or like uh the AV or whatever like security solution you're dealing with. So yeah uh a little bit of recap for who's not familiar with binary exploitation or exploit development. Basically we have uh like the basic exploit would be having the buffer then the instruction pointer. So you just like to like overflow the application or like the ex executable try to find the

instruction point when you can instruct the application to do whatever you want. This is called instruction point and then you put the shield code after that which basically what you need the election to get to be executed. The instruction pointer uh basically you can jump to to the ESB which is four bytes. You need to find it in the memory and the ESB is basically the execution pointers that you need to jump to to make the execution works for your shell code. The average size for the shell code would be like from 200 to 300 or even like to 600 bytes according to your adjustment to your shell code. But yeah, let's see a problem here. Basically,

when you fuzz the app at first, you send like a whole bunch of uh data like a or whatever the character. So, for example, if you send like 2,000 a bytes, but you see like if it's it's truncated after a year, it's like around after 100 byt or something like that, it's truncated. It's maybe like the end of the memory page. Maybe it's get uh misused by by some other memory. It's it's getting detected whatever. So, this is the first memory. So someone can say okay there is another very logical way to put your shell code in the buffer itself. So this is a very another logical way. Yeah you can put your shell codes in jump to your

shell code instead of just like having it after your uh instruction pointer. But again we have some problems here. The the problem number one what if the buffer size itself is not enough to have your the whole sh code in it. Like sometimes if you are trying to exploit something uh with the buffer like 128 or 256 bytes you still don't have much space to put your whole shell code in it. Something like this image if you can see like it's get truncated is basically it's basically after 251 bytes where it's yeah you can b a calc maybe but this is not actually exploitation. Yeah, like what what you will get after robbing a charact like actual shell code or actual

reverse shell to prove you're having BC, right? Uh the problem number two like as I said you need a jumbo instruction to your ESB your execution point so you can uh jump to to the top of the stack to start executing your boot but sometimes it's very restricted that you can't find a gadget that even jumping to your exploit. So there is no jump uh ESB for example or like call ESB or whatever like there is many ways to to jump to your shell code. And the last thing when you for example exploiting uh web applications the shell code or like your your whole thing is not it's totally in another place. You can't control where

it is. It can be unpredictable. It can be just dynamic in the memory like the memory space is huge. So it can be another parameter. It can be totally somewhere else. So yeah here comes the eggs in in work to to make it happening. Uh basically how it working as as you can see in in in here this is the memory layout like around the memory page and then you put the egg stop before your shell code. So you recognize where is your your shell code is and there's like another data then you have you controlling your buffer and after the buffer you will be having as little specific some sort of the code which is

called egg hunter. That's the one like you constructing a set of assembly to go back in the whole memory bases to find where is your egg and where is your shell code. Uh so yeah the idea again is like whatever where wherever your shell code is in the memory it should be find it and executed. Uh here's a little bit of a legacy of shell code uh sorry egg hunter and how it's working. It's you can hear the term in measoid or skyline de facto. Uh so yeah I can go a little bit faster. So basically you have this uh this is the assembly code that the egg hunter works at. You have the the memory pages you

using edx to iterate for the memory pages. Uh you move to the next memory if you find uh sorry you this is like the very basic as I said and it's using antax check and audit alarm which is like a system call that checking and robbing every memory page. Uh if and then checking if you have access to the memory page first. If you have access you will be trying to check all the memory uh and compare it with your local uh your egg marker which is wood as many of you guys know about it which is the as I said like the memory standard uh sorry the the fact standard for like exploits in metasloit and many places uh

if if it's found as I mentioned before it's eight bytes so it again will check back if it's like the next four bytes is another wood or like the same egg marker if it's the same okay like it will be jump to EDI and start the execution of your belute. If not, it will be go to another memory page to just make sure if it's not just like four random bytes and it just like have been to the same as your uh like just co coincidence that it's the same as your uh egg stop. Okay. So the I mentioned that like egg egg hunting but it's having types over ages it's get get got evolved. Uh the

first and based one is called like the 2e system call which is the ent. It's probing the uh two one of them is like display string which is trying to display the string in the memory and find it and the other one is like check and audit alarm which I showed in the last page and it's do basically doing the same. Uh the second one is the based which is like execution uh handler in in the windows. Basically as I mentioned it's moving the memory and checking every page and if it's wrong it can do acceleration and crash your code like I'm talking about like the very basics one but if if that can happening we can

be doing the se oursel like we can do exception handling the memory and do it ourselves so this is the e based on it will be a bit evade evading like getting crashed or getting uh getting things uh access variation by the memory and the last one is like the alpha numeric or encoded which is being using all alpha numeric things to not having like some uh weird hex decimals that can crash the memory again which I prefer like the ch based myself because it's we'll discover that why uh so yeah the story behind this talk uh one day I was doing my gaming session at night one of my friends came to me telling me that he doing trying to do

some work and he made sure that like his rob gets his he's bying like the execution policy in in windows he he even I click the base address of the from the SLR and he's doing totally fine but still he can get his uh his current binary works on his debug machine because yeah of course like we have like debug machines we test all the exploitation first on the debug machines then we apply it on the targets. So yeah, he he was trying to he he he was just like a little bit getting mad because he having everything working on the debug machine but he can't made it to work in the target which is this

thing like make you mad when when yeah it's why it's not working here. So at the next day I checked the code and the code of his exploitation for sure I found yeah I think he having his rob chain his gadget gets working fine. Um nothing looks wrong but I checked what kind of egg hunter he using and I found that he using uh the basic egg hunter which is many people doing and with the basic uh like woot which is the egg which is everyone using if you try to get to craft you an egg hunter it will be like woot. So what I change I changed the whole egg hunter to se which is exception handle.

So I can accept uh do the handler for like the memory pages and try to check if it's having exception myself and basically it's still working in the debug machine but it's not working on the target. So I tried to do a little bit something tricky. I just changed the marker to LEAT which is something different than the standards of everyone using like and surprisingly it worked like with SE and with lead another marker it's now searching for a different thing and it worked fine and it was actually like a CVE recently so that was huge. So that's why I thought like there is we we need to talk about this. We need to let everyone know that we shouldn't be

using just the memory standard. We need to evade things some some in in some new ways because like a little things that can be avoiding you to reach your final goal which is like exploiting something huge. So yeah I did some researches and I found like how EDR works and how it's basically evolved over time with using with egg hunters. So the first thing for example it would be better to use custom or random eggs instead of just having like four bytes memorable or like bond word or whatever the word it would be either to better like just use any four random bites and I would also recommend that to use brand new egg bear target or

bear exploit because like if the edr flags uh that you're searching for something it will be keep flagging it forever probably. Uh also the other way is like you can adjust your egg hunter to search for different four bytes. You can just like adding around two or three assembly instructions. So it will be instead of searching for the same four bytes, it would be searching for another four bytes. For example, exit one two exit 3 four and if it's find that it would be totally different in the in in in the in the memory and it would be harder to get flagged. Of course, recon first. Reckoning would make things easier and uh make your life easier basically for

you. If you know your u your OS version and if you know what edr you can just use indirect sys calls because basically OS versions keep changing the sys calls over time but you anyone can find it whatever the version you can find like your sys call on uh on many places actually. So if you know what OS version you're trying to exploit, you can easily uh uh direct this score to it instead of just keep robbing and find your uh uh shell code. Yeah. Uh also the memory page or walking techniques if edrs find that if you searching memory page one by one it will flag. Yeah. Someone keep checking all the memory page for the

current process one by one. It can be suspicious activity. So instead of that you can just be having randomizing again your memory uh walking uh instead of like you can just like having uh random numbers from like one to thousand and you can just randomize it. Um also like there is the custom shell code and encoders when you many people just like trying to use MS Venom for example to get them a meter shell or something. But if you learn how to use a custom shell code and how to create shell code and how to for example change the bad character and adjust it that would be a huge plus and it would be just not like a signature based anymore.

it would the encoders for MS Venom like Shakatagana or something like that it would it's definitely flagged almost like I would say 90 90% of the non-enccoders right now it's can be flagged easily so it's it's not a way to to do your exploits right now um less sliding I I see that many people do many sliding before Z shell code which is a good way to make sure that your code going to work smoothly but still slide much sliding in the memory will cause like memory uh uh suspicious uh br again. So so yeah like try to to to list the slides as as possible. I try to make it like eight maximum or like 16 which

is I think works fine. And instead of using slides you can just use uh mix of bening uh uh instructions like uh increment ex for example or increment ex which is like uh 43 like the c character. it would be like increment ecx when it's get into uh your shell code. Uh and the last thing is like the se chains which is basically it's a memory link it's if if it's have like exception it will go to the next in the tb memory and that would be a better idea to instead of just using like the direct sys calls or like the the uh the 2e uh way. All right. Uh key takeaways like EV

evasion is not magic like anyone can do EV evasion with just very small tricks as I said like I was able to just change the stub and change it directly to uh it exploited so yeah many people come around and say like a evasion is like a huge invention and something but yeah sometimes it's very small techniques or very small changes make a big differences uh avoid legacies as I mentioned like you don't need to use legacies anymore uh Because basically it can be good for training. Many of us like trained on that on hack the box or whatever the platform it can work there but in the real world it won't be like you just find yourself okay I wasted my

time in training but there is nothing looks like that in the real world. Um yeah try to think creatively if you have something stopping with you just like try to change a little bit of the of the things and it can work with you. uh try to get get out of the box check what is for example how how uh things evolving how the ads have been blocking your process what's being going wrong and try to change or adjust like a little bit of for example like the sliding uh the loading for the memory the way you like write the process or allocate new memory and it can work for you uh yeah of course collaboration works I know that

many of the cyerspace people are introverts so they just try to find the things themselves we will not seek any help but yeah like just a new fresh eyes will get you maybe it will help you and collaborations always works to be honest like even for like the very biggest companies when they like provide research it's like a team work it's not it's very rarely to be like individual work or either it would be like two years or three years work or it can be like just being like one month's work or something with with a team um so yeah this is a bonus section I have been talking about eggs but there is also two other techniques techniques

if someone aware about it. Uh I'm not sure if I need to spoil it or not, but yes, there is like the egg omelette and the egg sandwich with two different techniques. I I would say like maybe it would be the homework to search for them and find how they works. Uh because it works in a different way and basically I can give a little bit about this like this scramble the eggs and you can concatenate it somehow and egg sandwich instead of uh having only one stop at the beginning and find the sh code. Sometimes it's getting corrupted. So it will be having like a marker at the beginning of your code and the marker at

the end of your SH code and when the marker matches with like the signature and or like the the size it will start exploiting it instead of exploited a corrupt SH code. Uh and I think by that uh I think I made you guys hungry. So I think it's lunch time probably now. I'm not sure if I take much time and yeah uh I would love to hear any questions and here is my contact if someone would like to contact me. >> Anyone have questions? [Applause] >> Questions for anyone? >> Okay, I've got one. So if how do you decide upon a binary to begin investigating an exploit on? So if you I understand it's probably part of your

work but how do you go and choose one? You can't just go I think I think I'm going to do this one and then just start picking it or maybe it is like that. >> Well regarding the work you know what you are going to work on instead of in your company but like if it's going to research >> it would be something uh maybe I would say something many people looking at it >> something for example many user having like a big user base. So if you find something in it it will be affecting billions I would say for example like a social media app or something like that. Um otherwise like for for uh in your

normal work it it it you don't need to really research on something but uh if you need to seek another uh exploitation somewhere else it can be like just like uh web application or web web assembly or something like that you need to exploit. So it can make your target target easier if even if it's not your actual work or like your whole project but something can help from other way would be helping you in your work. >> So >> and one more as well which is if um people want to get into binary exploitation and related industries are there any learning resources you'd recommend yourself? Uh so the resources for the Linux is huge like there is the

bunabulkr [Music] for example like there is many resources in hackbox uh but for the windows one I actually I would say maybe like the oed like explor course for windows which is uh I feel that the windows very rarely to find the like the big infos about it uh and most of the things in windows yeah like uh uh for example like the uh the corporate side applications it would be windows and mac for sure but still the Windows one would be more uh area to explore to be honest and uh yeah I think like the the Linux one it can be every anywhere uh I would say the Linux is easy to approach because I see that I I

would take like three or four steps in the windows just like to to make something like red tips for example it would be taking three or four steps it a bit harder not many people uh looking at the window stuff uh all even the CF like if someone getting trained he will be probably find 90 90% Linux exploitables. So yeah uh yeah I recommend the OED for Windows and for sure like OSE if you want to go further more in the exploits uh and for the Linux there is many things you can you can find. Yeah. >> Okay. Thank you very much. >> Thank you. >> Anything else for anyone else? >> Okay. So you showed us how the these

techniques that they are really useful to my And but do you think like modern AV with AI and stuff they're going to be capable to detect the the hunting techniques or still be useful? >> Yeah, it would. But after time, you know, like as I said, like if you try to change your exploit every time, try to change to like to to change the marker h try to like if you do combination of all that, it won't be able to check it from the first time. But the thing is like I see many people fail the first exploit and then try it will be failing forever because they didn't change anything in the exploit which is a bit hard with

like the AI and stuff because it it would be keep tracking what you're doing but if you change like almost all the shell code for example if you try to do something else if you try to probe another memory page try to try to find like another memory waking technique and also actually I remember something if you know what is like the memory region you are looking at it will be faster to uh approach your exploit and it will be uh higher to the also like there is the in TLS which is like uh thread local storage ed is not checking checking into this this thing so yeah you can just put your uh egg hunter or like the shield

code into that and it would be working fine but yeah of course like it's it's always like the the cat and mouse game they find something we do evolving and so on yeah thank else. All right. >> Thanks everyone.