Egghunter

Hi, I was looking at this write up of the vulnserver: https://captmeelo.com/exploitdev/osceprep/2018/06/29/vulnserver-kstet.html . He uses the same entrypoint as I was trying, the KSTET command. Yet he uses an egghunter, I didn’t get that far. My question: what does an egghunter do. Specifically, does it target a shellcode? what? Would really appreciate an explanation.

Someone with deeper understanding and experience will hopefully chime in, but basically:

An egg is a tag (a little piece of data which we choose) followed by some shellcode.
An egghunter is a little piece of code that looks around in memory for a specific tag, and once it’s found does something with it. Usually this is for the purpose of jumping to it.

Now, why would you do this? Imagine you have a buffer overflow vuln in a program, but the space you have for an exploit is very very tiny, but the program has other functions, some of which can load data into other parts of memory (but they might not have a vulnerability there).

What you do is, you put an egghunter (very compact) into the tiny buffer, and then the big long complex shellcode you actually want to execute you put it as an egg somewhere else in memory with one of the safe functions. When the exploit is triggered, the egghunter finds the egg, jumps to it and… bob’s your uncle! You’ve executed the bigger shellcode despite only having a very tiny buffer.

Using an egghunter is a bit more common on Windows platforms than Linux. I can’t tell you exactly why (That’s something I’m hoping someone maybe can chime in on) but my guess is that it might have to do with shellcodes usually being a bit longer to accomplish something meaningful.

Thanks, that kind of explains a bit :slight_smile: