SLAEx86 : Egg Hunter Shellcode

Egg Hunter is a technique that is used to run shellcode when the buffer space is too small to accommodate the shellcode.

So the concept of egg hunter is to put a unique string in the memory also known as "TAG" or "EGG" and we will search for the occurrence of this tag and just next to the tag we will put the shellcode. The egg hunter payload ( which is smaller in size compared to the payload ) will search for the tag and once it finds the tag, its control will jump to that location and thus execute the payload in the process

Algorithm for implementation

start()
     STEP 1 : store unique string in EBX
     STEP 2 : align() address and update in EDX
     STEP 3 : increase_address()
     STEP 4 : check_if_efault_occurred_while_accessing_the_memory()
                     if yes:
                              GOTO STEP 2
                   else:
                             STEP 5 : check if the memory location has the TAG value()
                                           if no:
                                                         GOTO STEP 3
                                           if yes:
                                                        check if next memory location has TAG value():
                                                        if yes:
                                                                 JUMP at that location
                                                        if no:
                                                                 STEP 3
                               
We need to ensure that whenever we are putting the shellcode inside the egghunter wrapper, we need to put the EGG / TAG twice in the shellcode.

Generated by r2
[0x08048060]> agfd _start > egghunter.dot
=> dot egghunter.dot -Tpng -o egghunter.png



C Wrapper

I have written a detailed post on how we can use this method to exploit a scenario when the buffer space is small.

Details can be found here : https://oxhat.blogspot.com/2018/04/why-do-we-need-egg-hunters.html

This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification:
http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: PA-1191