An exploit development technique is called “Egg Hunting”. Using Egg hunting exploiting a stack-based buffer overflow. An “Egg Hunter” in ESP, which will search the memory stack for our “evil” shellcode and execute it.

Egg hunter is a small piece of shellcode to bigger shellcode by searching for the final shellcode in memory. In their other words first to a small amount of code is executed, which then tries to find the real shellcode and executes it.

The egg hunter code looks for an “EGG” which is a unique 8-byte string consisting of two “TAG” combinations. “EGG” is placed just before the “shellcode” and the egg hunter code is placed in the small available buffer space while exploiting the overflows. A unique “TAG” is prefixed with shellcode. A “TAG” is a 4-byte unique string.

“EGG” is placed just before the “Shellcode” and the egg hunter code is placed in the small available buffer space while exploiting the overflows.

In order, there are important three conditions for this technique to work.

  • There is must be able to jump/call/push to and execute some shellcode. The egg hunter code must be available in a predictable location so that reliably jump to it and execute it.
  • The final shellcode must be available somewhere in memory.
  • To define the marker in the egg hunter code, and also write it just in front of the actual shellcode.

 

Any Cyber Security and VAPT information: https://www.theweborion.com