killchain-compendium/Exploits/Binaries/Egg Hunting.md

31 lines
822 B
Markdown
Raw Normal View History

# Egg Hunting
Egg Hunting can be applied if only a few chars are possible to use as shellcode.
A tag or egg is an already identified group of bytes in the binary the egg hunter
is trying to find.
## Accessing Virtual Address Space
Like [shakuganz](https://shakuganz.com/2021/07/14/hackthebox-hunting-write-up/) wrote about, ccessing unallocated memory can be done in the following way
```python
mem_addr = 0x5FFFFFFF
if access(mem_addr, 0) == 0x2f:
jump_to_next_page()
elif value_at(mem_addr) != egg:
mem_addr += 1
else:
print(mem_addr)
```
## Tools
Egg hunter can be found in pwntools' `pwnlib.shellcraft`
## Resources
* [hick.org](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf)
* [Chaudhary's blog](https://medium.com/@chaudharyaditya/slae-0x3-egg-hunter-shellcode-6fe367be2776)