Created
June 11, 2018 15:07
-
-
Save fgsahoward/e9a7f78cb5a365486093124cc3692e8b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # shell1_64.s - Executes a shell by calling execve | |
| # Compile and Link: | |
| # gcc -c shell1_64.s | |
| # ld -o shell1_64 shell1_64.o | |
| # Starts the data section, this is where the program stores initialized | |
| # variables, and it is in a separate memory space than the .text section | |
| .data | |
| # This is the location of the program we intend to execute | |
| shell_name: | |
| .asciz "/bin/sh" | |
| # This is an argument we intend to pass to /bin/sh | |
| shell_arg: | |
| .asciz "-p" | |
| # This starts the .text section of the code, or the code section | |
| .text | |
| .global _start | |
| _start: | |
| # function prolog | |
| push %rbp | |
| mov %rsp, %rbp | |
| # place a NULL pointer on the stack | |
| xor %r8, %r8 | |
| push %r8 | |
| # place a pointer to "-p" on the stack | |
| mov $shell_arg, %r8 | |
| push %r8 | |
| # place a pointer to "/bin/sh" on the stack | |
| mov $shell_name, %r8 | |
| push %r8 | |
| # move the pointer to "/bin/sh" to %rdi (first argument to execve) | |
| mov %r8, %rdi | |
| # move a pointer to the argv array to %rsi | |
| mov %rsp, %rsi | |
| # make the pointer to envp a NULL pointer | |
| xor %rdx, %rdx | |
| # set the system call number to 59 | |
| xor %rax, %rax | |
| mov $0x3b, %rax | |
| # make the system call | |
| syscall | |
| # function epilog | |
| pop %rbp | |
| ret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment