Egg hunter is a technique used to capture larger payloads in memory by tagging the start of the shellcode with an egg. In most cases, egg hunters are used when you don’t have enough space to host your desired shellcode. In this post we’ll create an egg hunter for Linux x86_64 and couple it with execve() shellcode for testing. Please refer to my SLAE32 for more details about egg hunting.
In efforts to experiment with skape awesome piece of shellcode, we will create a slightly different version of egg hunter that does the following:
- No hardcoded egg marker which will effectively eliminate the need for the second egg marker check.
- Use a readable memory region as starting address which allow the exclusion of memory access check routine.
As you can see this method is indeed unsafe compared to skape’s but hey it works!
inc rdx ; pop valid address into rdi
push 0x30313232 ; push the marker-1 into the stack
inc eax ; marker is now 0x30313233 so its not hardcoded
inc rdi ; increment rdi by one byte
cmp eax,[rdi] ; check for egg match
jnz EggHunter ; if not found jump to EggHunter label
inc rdi ; increment rdi pointer by 4
jmp rdi ; jump to the shellcode
And as always we follow with a demo.
On behalf of all the shellcoders out there, I would like to say thank you skape for producing such an elegant shellcode that will remain glorious for years to come. All of the above code are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certiﬁcation:
Student ID: SLAE64 – 1579