When a Windows stack overflow gives you ~250 bytes of crash-buffer space but a useful Meterpreter payload is 400 bytes, the answer is an egghunter. This walkthrough takes Savant Web Server 3.1 from initial crash to NT-level shell: partial overwrite to defeat the savant.exe null-byte module base, POP EAX RET gadget, a 7-byte conditional jump that exploits pre-zeroed memory, two independent buffers (URL path HTTP body), then both classic egghunters — syscall-based on Windows 10 (with the NEG trick to encode 0x1C8 null-free) and the OS-agnostic SEH-based variant with a custom dispatcher handler. core-jmp.org/2026/06/egghunt… #BadCharacters #bufferoverflow #Egghunter #gadgets #HeapStaging #INT0x2E #KeystoneEngine #Metasploit #Meterpreter #NtAccessCheckAndAuditAlarm #NullFreeShellcode #PartialOverwrite #POPEAXRET #ROP #SavantWebServer #SCASD #SEHEgghunter #shellcode #StackBufferOverflow #StackOverflow #w00tw00tEgg #WinDBG #WindowsExploitDevelopment #x86