When every byte counts — Writing minimal length shellcodes

Against vulnerable binary applications both ethical and malicious hackers frequently apply an exploitation technique called egg-hunting. Egg-hunters are small shellcodes whose goal is to search for a usually longer and less restricted egg that executes the next phase of the attack. Here, this method is investigated from several new aspects. First we try to establish the length of the minimal egg-hunter code under various assumptions. Next, we study how this technique can be combined with a modern exploitation technique of return oriented programming (ROP). Lastly, a brief evaluation is given of both the advantages and drawbacks of egg-hunting.