Egg Hunter | Linux x86_64

Introduction

Egg hunter is a technique used to capture larger payloads in memory by tagging the start of the shellcode with an egg. In most cases, egg hunters are used when you don’t have enough space to host your desired shellcode. In this post we’ll create an egg hunter for Linux x86_64 and couple it with execve() shellcode for testing. Please refer to my SLAE32 for more details about egg hunting.

Shellcode

In efforts to experiment with skape awesome piece of shellcode, we will create a slightly different version of egg hunter that does the following:

  • No hardcoded egg marker which will effectively eliminate the need for the second egg marker check.
  • Use a readable memory region as starting address which allow the exclusion of memory access check routine.

As you can see this method is indeed unsafe compared to skape’s but hey it works!

And as always we follow with a demo.

Closing Thoughts

On behalf of all the shellcoders out there, I would like to say thank you skape for producing such an elegant shellcode that will remain glorious for years to come. All of the above code are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579­

Leave a Reply

Your email address will not be published. Required fields are marked *