SLAE64: Assignment 3 – Egg Hunter

This is the third assignment for the SecurityTube Linux Assembly Expert certification, it consists in the demonstration of my own implementation of an Egg Hunter that works with different payloads.

An Egg Hunter is a piece of code that will search for specific pattern, called the ‘egg’, in memory in order to find it’s address which usually prepends another injected payload containing the actual shellcode.

I’ve assumed the payload is injected somewhere in higher address within the same code segment as our egg hunter.

Since this is x64 I’ve chosen to use a relative RIP addressing instead of the traditional JMP/CALL/POP technique for obtaining the address where to start the pattern search.

For this example the ‘egg’ is the ascii string ‘SLAE’.

This code compiles to a 21 byte shellcode, pretty acceptable in my opinion.

In order to properly test this egghunter with various payloads I’ve created the C program below.

You can change the payload between a bind shell (assignment #1) and a reverse shell (assignment #2) by changing value of PAYLOAD and recompiling.

Also it’s possible to use a different ‘egg’ value, as long as it is 4 bytes in length by changing the definion of EGG and recompiling.

There are other possibilities for the creationg of the egg hunter, namely one could assume the payload to have been injected in the stack and thus search for the ‘egg’ in the stack instead. I might still post such a version in the future if I have the time.

All code is available from my Github repo.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification.

Student ID: SLAE64-1440

Leave a Reply

Your email address will not be published. Required fields are marked *