killchain-compendium/Exploits/Binaries/Egg Hunting.md

# Egg Hunting

Egg Hunting can be applied if only a few chars are possible to use as shellcode.  
A tag or egg is an already identified group of bytes in the binary the egg hunter  
is trying to find.

## Accessing Virtual Address Space

Like [shakuganz](https://shakuganz.com/2021/07/14/hackthebox-hunting-write-up/) wrote about, ccessing unallocated memory can be done in the following way 
```python
mem_addr = 0x5FFFFFFF

if access(mem_addr, 0) == 0x2f:
    jump_to_next_page()
elif value_at(mem_addr) != egg:
    mem_addr += 1
else:
    print(mem_addr)
```


## Tools

Egg hunter can be found in pwntools' `pwnlib.shellcraft`


## Resources

* [hick.org](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf)
* [Chaudhary's blog](https://medium.com/@chaudharyaditya/slae-0x3-egg-hunter-shellcode-6fe367be2776)
reverse engineering and binary exploitation 2023-01-16 19:02:44 +01:00			`# Egg Hunting`

			`Egg Hunting can be applied if only a few chars are possible to use as shellcode.`
			`A tag or egg is an already identified group of bytes in the binary the egg hunter`
			`is trying to find.`

			`## Accessing Virtual Address Space`

			`Like [shakuganz](https://shakuganz.com/2021/07/14/hackthebox-hunting-write-up/) wrote about, ccessing unallocated memory can be done in the following way`
			```python
			`mem_addr = 0x5FFFFFFF`

			`if access(mem_addr, 0) == 0x2f:`
			`jump_to_next_page()`
			`elif value_at(mem_addr) != egg:`
			`mem_addr += 1`
			`else:`
			`print(mem_addr)`
			```


			`## Tools`

			Egg hunter can be found in pwntools' `pwnlib.shellcraft`


			`## Resources`

			`* [hick.org](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf)`
			`* [Chaudhary's blog](https://medium.com/@chaudharyaditya/slae-0x3-egg-hunter-shellcode-6fe367be2776)`