SLAE Assignment #3 | x86 EggHunting

9. October 2017

Ready for the next level? – Method to exploit software even with small space for shellcode: EggHunting

The third task was: Build an eggHunter shellcode and a PoC to check functionality. After some googling i found a very interesting paper, which explains eggHunting in general and shows 6 implementations (3x Linux/ 3x Windows).
I chose the sigaction method, which is smaller, faster and more robust than the other two ones. The code is searching through the memory until it identifies my Egg (two times behind each other: 0x50905090) and then jumps to the position of my evilPayload.

To check the functionality of my eggHunter, i wrote a little c-program, which copies some shellcode into memory. First the shellcode for my payload and two EGGs are copied into memory. After that the eggHunter-shellcode is loaded and executed.

I this case i use a simple helloWordPayload:

It work’s!


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE-1036

Similar posts

After gaining my OSCP in June I decided to go deeper into exploitDev and shellcoding. And here we are, this [...]

9. October 2017

Welcome back to my second post for the SLAE certification. Today we are going to build a reverse_shell shellcode and [...]

9. October 2017

Hey ho, it’s time for some low-level shellcode encoding. After going through the encoder examples of the SLAE material I [...]

9. October 2017

Got time to read? This tasks was a bigger one. We have to pick 3 random metasploit payloads and analyze [...]

9. October 2017