Egg hunter is a technique used to capture larger payloads in memory by tagging the start of the shellcode with an egg. In most cases, egg hunters are used when you don’t have enough space to host your desired shellcode. In this post we’ll create an egg hunter for Linux x86_64 and couple it with
execve() shellcode for testing. Please refer to my SLAE32 series of posts for more details about egg hunting.
In efforts to experiment with skape awesome piece of shellcode, we will build a slightly different version of the egg hunter that does the following:
- No hardcoded egg marker which will effectively eliminate the need for the second egg marker check.
- Use a readable memory region as starting address which allow the exclusion of memory access check routine.
As you can see this method is indeed unreliable compared to skape’s but hey it works!
global _start _start: inc rdx ; pop valid address into rdi push rdx pop rdi push 0x30313232 ; push the marker-1 into the stack pop rax inc eax ; marker is now 0x30313233 so its not hardcoded EggHunter: inc rdi ; increment rdi by one byte cmp eax,[rdi] ; check for egg match jnz EggHunter ; if not found jump to EggHunter label inc rdi ; increment rdi pointer by 4 inc rdi inc rdi inc rdi jmp rdi ; jump to the shellcode
And as always we follow with a demo.
On behalf of all the shellcoders out there, I would like to say thank you skape for producing such an elegant shellcode that will remain glorious for years to come. All of the above code are available on my github. Feel free to contact me for questions via Twitter @ihack4falafel.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certiﬁcation:
Student ID: SLAE64–1579