This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE-1290


The assignment scope is to study about the egghunter shellcode and creating a working demo in which the payload is easily configurable.

Searching around on the internet I discovered that the best paper describing the matter is the one from ->

So what is an egghunter shellcode?

The paper describes the process of searching in the Virtual Address Space of a program and mentions that it is extremely useful in exploitation. In fact, some exploit vectors ( for example buffer overflows) do not allow much payload data to be used thus the shellcode size is very limited. In this circumstances, attacker should exploit the vulnerability in two different stages: the first stage is going to search for the effective payload (the second stage) which is located somewhere in memory.

In the paper, there are three different implementations of an egghunter shellcode. I decided to focus on the last one, based on the sigaction syscall. This implementation allows to validate multiple addresses at the same time and the sigaction purpose is to define an action to be taken in an EFAULT event occuring (when accessing an invalid address). Here is my implementation of egg hunter shellcode.

Adding the egg placeholder(0x50905090) to the execve shellcode will allow us to test it together with the egg shellcode in our shellcode template C program.

Where the EGG placeholder and the main shellcode are easily configurable.

Dirty+Small+Slow version:

Featured on Exploit-DB:

I have successfully shrunk the egg shellcode up to 27 bytes removing the page alignment instruction. However this version of egg shellcode is very slow (up to 2-3 minutes) and a bit dirty, but in extreme size constraints it could be useful.




Share it