Linux Shellcoding Lab 13: egg hunting with access(2) syscalls


I’ve gone through the egghunting PDF (, created x86 assembly files and extracted the shellcode. Now I’m trying to understand some of the details and I have questions that aren’t readily answered in the PDF. I’d appreciate anyone pointing me in the right direction.

  1. We compare al with 0xf2 because 0xf2 is the lowest byte of EFAULT. Where is this EFAULT value defined?

It’s not in /usr/include/asm/unistd_32.h or anywhere in /usr/include/asm/

  1. PAGE_SIZE is constantly referred to without explanation. Since the loop increments by 0x1000 when edx points to invalid memory addresses (access returns EFAULT) I assumed that 0x1000 and PAGE_SIZE were equivalent. Is that true?

  2. Why are we using [edx+0x4] and not [edx]?

The paper says: “Why is four added to the current pointer to be validated? The reason is because it allows eight bytes of contiguous memory to be validated in a single swoop.”

Why wouldn’t we be able to validate eight bytes starting at [edx]?

The [edx+0x4] adds unnecessary complexity: the last check at the end compares [edx+0x4] to ebx (loaded with the value of the egg) and a successful comparison leads to “jmp edx”

Won’t this lead to a jump to 4 bytes before executable code? (the executable egg)

I really appreciate any insight or direction!