The purpose of this assignment was to learn about “egghunters”, or shellcode that is written to search the memory space for an “egg” pattern. This “egg” is used to locate the rest of the shellcode that has been staged for execution in that portion of memory.
I started my research for this assignment by reading the paper written by skape on the subject, which is probably one of the most referenced documents on the subject. He explains three different methods for Linux, two of which use the access() syscall, and the third which uses the sigaction() syscall. In my working demo, I use one of the access() syscall methods, but added an instruction to ensure the direction flag is cleared at the beginning to ensure expected behavior with the scasd instruction.
I modified my Python program to take an argument for the egg value, and when it completes it outputs the entire skeleton C program to compile and run as a working demonstration of the egghunter. The egg value is stored in a payload variable with the shellcode immediately following. The egghunter shellcode is stored in the code variable as seen below:
In the example used here, the payload creates a reverse shell to port 7777 where the attacker machine is listening for connections:
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Student ID: SLAE-860