On Eggs and Egg-hunters (Linux/x64)

Image for post
Image for post
Photo by Kony Xyzx on Unsplash

Eggs? Hunting? What are we talking about?

In exploit development, an Egg is a full shellcode payload that usually has a nop sled at the beginning. The start of the payload (usually the nop sled) will have a particular signature that we will use to identify where our shellcode is placed in memory. Sometime you can’t know beforehand where is your shellcode going to be allocated in memory. So you can use the egg’s signature (usually the first 8 bytes of the payload) to find the exact place.

Image for post
Image for post
Photo by Claudio Hirschberger on Unsplash

Anatomy of an egg-hunter

Image for post
Image for post
Photo by Specna Arms on Unsplash

1- It should be robust

It should be able to step into invalid memory regions without crashing the application. Therefore, it should somehow manage the dereference of invalid addresses and the exceptions occurred when, for example, it tries to read from a privileged/critical memory region.

2- It should be small

The main purpose of an egg-hunter is to fit where no other payload could. If we could fit our regular shell payload, why would we need this for? So, naturally, size is one of the most important aspects of an egg-hunter.

3- It should be fast

Waiting for several minutes while the egg-hunter searches for the payload would be a pain. This is certainly not the most important property for an egg-hunter, as we (as a general rule) don’t want to detriment robustness or size in order to make it faster.

Anatomy of an egg

The egg can be any payload of which we will take the first 8 bytes as the signature. In general, the first 8 bytes are part of a nop sled (to improve robustness) so we’ll focus on that kind.

Image for post
Image for post
Photo by Annie Spratt on Unsplash
; Signature sample 1 (8 bytes long ) 
; String representation "\x90\x50\x90\x50\x90\x50\x90\x50"
; Hexadecimal 32-bit 0x90509050 0x90509050
; Hexadecimal 64-bit 0x9050905090509050
; Assembly code:
90 nop
50 push rax
90 nop
50 push rax
90 nop
50 push rax
90 nop
50 push rax
-- -- -- -- --; Signature sample 2 (8 bytes long )
; String representation "\x99\x99\x90\x99\x99\x99\x90\x99"
; Hexadecimal 32-bit 0x99999099 0x99999099
; Hexadecimal 64-bit 0x9999909999999099
; Assembly code:
99 cdq
99 cdq
90 xchg rax, rax ; same as nop
99 cdq
99 cdq
99 cdq
90 xchg rax, rax ; same as nop
99 cdq

1- Size

An egg usually is 8 bytes long. We, of course, can tweak this making it larger or shorter depending on the circumstances.

2- Type

The egg’s signature is usually executable code. This derives from the fact that once the egg-hunter confirms the match it jumps straight into its location and executes the whole egg. Again, that’s the usual case but an egg-hunter that allows non-executable code as a signature can be implemented too.

Implementing an egg-hunter in Linux/x64

Image for post
Image for post
Photo by Eamonn Maguire on Unsplash
BITS 64global _startsection .text_start:
mov rax, 0x15 ; Syscall access number
mov rdi, 0x00 ; Address to check : 0x00
mov rsi, 0x00 ; Mode
syscall
> getconf PAGE_SIZE
> 4096
This can be easily converted to hex using radare2 utility rax2> rax2 (getconf PAGE_SIZE)
> 0x1000
Image for post
Image for post
Image for post
Image for post
Photo by Nicolas Thomas on Unsplash

Let’s test this out!

In the following video, I go through the whole process of extracting the shellcode for both the egg-hunter and the payload. Then I use a test skeleton written in C to demonstrate the functionality.

syscall59

Hacking/Infosec writeups and articles

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store