I’ve gone through the egghunting PDF (http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf), created x86 assembly files and extracted the shellcode. Now I’m trying to understand some of the details and I have questions that aren’t readily answered in the PDF. I’d appreciate anyone pointing me in the right direction.
- We compare al with 0xf2 because 0xf2 is the lowest byte of EFAULT. Where is this EFAULT value defined?
It’s not in /usr/include/asm/unistd_32.h or anywhere in /usr/include/asm/
PAGE_SIZE is constantly referred to without explanation. Since the loop increments by 0x1000 when edx points to invalid memory addresses (access returns EFAULT) I assumed that 0x1000 and PAGE_SIZE were equivalent. Is that true?
Why are we using [edx+0x4] and not [edx]?
The paper says: “Why is four added to the current pointer to be validated? The reason is because it allows eight bytes of contiguous memory to be validated in a single swoop.”
Why wouldn’t we be able to validate eight bytes starting at [edx]?
The [edx+0x4] adds unnecessary complexity: the last check at the end compares [edx+0x4] to ebx (loaded with the value of the egg) and a successful comparison leads to “jmp edx”
Won’t this lead to a jump to 4 bytes before executable code? (the executable egg)
I really appreciate any insight or direction!