SLAE64 #3 - Egghunter shellcode

As usual, I will only be touching on interesting or unique points in the shellcode.

  1. Line 25/26: To avoid having the egg in memory, I moved 0x5090508f into a register and incremented it to get 0x50905090
  2. Line 27: repne scasd searches the next 4 bytes and increments the address searched automatically. This saves space compared to manual searching. However, the caveat is that it only searches at every 4 byte boundary. Hence there is a need for padding. For actual use, you might have to seed the memory with shellcode with different padding prepended.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
global _start
section .text

_start: 
    xor rdx, rdx
    mov dh, 0x10
    xor rdi, rdi
    xor rsi, rsi


check_access:
    xor rax, rax
    mov al, 0x15           
    syscall     ; access syscall
    cmp al, -14         
    jne short finding_egg
    inc rdi
    jmp short check_access


finding_egg:
    xor rcx, rcx
    mov cl, 0x4    
    shl rcx, 8      ; find egg within page with access
    mov eax, 0x5090508f
    inc eax;        ; egghunter signature itself is never present in memory
    repne scasd
    jne short check_access ; not found within this page, going back to check access   


found:
    jmp rdi


section .data
    _padding: db 0x90, 0x90, 0x90 ; padding to align egg to 4 byte boundary
    _egg: db 0x90, 0x50, 0x90, 0x50, 0x48, 0x31, 0xc9, 0x48, 0xf7, 0xe1, 0x50, 0x5f, 0xff, 0xc0, 0x48, 0x83, 0xc2, 0x08, 0x68, 0x4f, 0x4b, 0x20, 0x0a, 0x48, 0x89, 0xe6, 0x0f, 0x05, 0x6a, 0x3c, 0x58, 0x0f, 0x05

This blog post has (not) been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE64-XXXXX