Ready for the next level? – Method to exploit software even with small space for shellcode: EggHunting

The third task was: Build an eggHunter-shellcode and a PoC to check functionality. After some googling i found a very interesting paper, which explains eggHunting in general and shows 6 implementations (3x Linux/ 3x Windows).
I chose the sigaction method, which is smaller, faster and more robust than the other two ones. The code is searching through the memory until it identifies my Egg (two times behind each other: 0x50905090) and then jumps to the position of my evilPayload.

To check the functionality of my eggHunter, i wrote a little c-program, which copies some shellcode into memory. First the shellcode for my payload and two EGGs are copied into memory. After that the eggHunter-shellcode is loaded and executed.

I this case i use a simple helloWordPayload:

It work’s!


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE-1036