Shell

shellcode_exec.go

package main

import (
	"log"
	"syscall"
	"unsafe"
)

var shell = []uint16{
	0x48c7, 0xc001, 0x0, // mov %rax,$0x1
	0x48, 0xc7c7, 0x100, 0x0, // mov %rdi,$0x1
	0x48c7, 0xc20c, 0x0, // mov 0x13, %rdx
	0x48, 0x8d35, 0x400, 0x0, // lea 0x4(%rip), %rsi
	0xf05,                  // syscall
	0xc3cc,                 // ret
	0x4865, 0x6c6c, 0x6f20, // Hello_(whitespace)
	0x576f, 0x726c, 0x6421, 0xa, // World!
}

var shellBytes = []byte{
	0x48, 0xc7, 0xc0, 0x01, 0x0, 0x0, 0x0, // mov %rax,$0x1
	0x48, 0xc7, 0xc7, 0x01, 0x0, 0x0, 0x0, // mov %rdi,$0x1
	0x48, 0xc7, 0xc2, 0x0c, 0x0, 0x0, 0x0, // mov 0x13, %rdx
	0x48, 0x8d, 0x35, 0x04, 0x0, 0x0, 0x0, // lea 0x4(%rip), %rsi
	0xf, 0x5, // syscall
	0xc3, 0xcc, // ret
	0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, // Hello_(whitespace)
	0x57, 0x6f, 0x72, 0x6c, 0x64, 0x21, 0x0, 0xa, // World!
}

func main() {
	log.SetFlags(0)

	executable, err := syscall.Mmap(-1, 0, 128,
		syscall.PROT_READ|syscall.PROT_WRITE|syscall.PROT_EXEC,
		syscall.MAP_PRIVATE|syscall.MAP_ANONYMOUS)
	if err != nil {
		log.Fatalf("mmap err: %s\n", err)
	}

	copy(executable, shellBytes)

	type execFunc func()

	unsafeShell := (uintptr)(unsafe.Pointer(&executable))
	doer := *(*execFunc)(unsafe.Pointer(&unsafeShell))
	doer()
}