Member-only story
[ExpDev] Egghunter (Linux Implementation)
What is Egghunter?
Personally, I have dealt with Egghunter when I was studying for the OSCE course form Offensive Security. Egghunter is essentially a staged payload and is comprised with relatively short shellcode (around 30+ bytes). In a situation where the first buffer space is limited, we can implement the Egghunter shellcode there, and this will search the process memory for the much bigger buffer space where we place the signature (aka “Egg”) with our final reverse/bind shellcode.
The below image is a simplified version of how Egghunter works:
Egghunter In Depth
Even though I knew what Egghunter was and how to use it, I wanted to understand it in greater detail. So I read Matt Miller’s Safely Searching Process Virtual Address Space to learn more about Egghunter.
The following is the key take- away from the article:
- Per the author, 8 byte egg is recommended since it can give enough uniqueness that it can easily selected without running any high risk of a collision.
Linux Egghunter Implementation
- In Linux implementation, there are two main methods:
1) SIGSEGV handler to catch invalid memory address de-references and prevent the program from crashing
2) Using OS system call interface to validate process VMAs in kernel mode.
- In Linux implementation, the SIGSEGV handler technique has a big drawback of a size issue.
- In Linux implementation, the fact that the system call will return the
EFAULTerror code when it encounters an invalid memory space is the exact type of information needed for Egghunter since it can traverse the process’ virtual address space (VAS) without crashing the program.
