procinger/shell_exec.c

## shell_exec.c
/*
* Shellcode executer
* gcc -fno-stack-protector -z execstack shell.c -o shell
*/

char shellcode[] = "\xeb\x20\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\xb0\x01\x40\xb7\x01\x5e\xb2\x0c\x0f\x05\x48\x31\xc0\xb0\x3c\x40\xb7\x00\x0f\x05\xe8\xdb\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21";

int main(int argc, char **argv)
{
 int (*exeshell)();
 exeshell = (int (*)()) shellcode;
 (int)(*exeshell)();
}

## shellcode.asm
;Hello World GNU/Linux x86_64 Assembly
;nasm -f elf64 -o hello_world.o hello_world.s
;ld -o hello_world hello_world.o

section .data
    msg db      "Hello World!"

section .text
    global _start
_start:
    mov     rax, 1 	; set syscall to size_t sys_write(unsigned int fd, const char * buf, size_t count);
    mov     rdi, 1 	; set file descriptor to 1; 0 = stdin, 1 = stdout, 2 = stderr
    mov     rsi, msg 	; load message into rsi register
    mov     rdx, 12 	; set "Hello World!" size to 12
    syscall		; call syscall
    mov    rax, 60	; set syscall to int sys_exit(int status)
    mov    rdi, 0	; set return value to 0, programm exited succesfully
    syscall		; call syscall

## shellcode_optimized.asm
;same program shellcode optimzed
section .text
	global _start
_start:
	jmp short ending

	main_func:

	xor rax,rax	; zero rax
	xor rdi, rdi	; zero rdi
	xor rsi, rsi	; zero rsi
	xor rdx, rdx	; zero rdx

	mov al, 1	; set syscall to size_t sys_write(unsigned int fd, const char * buf, size_t count);
	mov dil, 1	; set file descriptor to 1; 0 = stdin, 1 = stdout, 2 = stderr

	pop rsi		; pop "Hello World!" from stack
	mov dl, 12	; set "Hello World!" size to 12
	syscall
	xor rax, rax	; zero rax

	mov al, 60	; set syscall to int sys_exit(int status)
	mov dil, 0	; set return value to 0, programm exited succesfully
	syscall

	ending:
	call main_func
	db "Hello World!"
	/*
	* Shellcode executer
	* gcc -fno-stack-protector -z execstack shell.c -o shell
	*/

	char shellcode[] = "\xeb\x20\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\xb0\x01\x40\xb7\x01\x5e\xb2\x0c\x0f\x05\x48\x31\xc0\xb0\x3c\x40\xb7\x00\x0f\x05\xe8\xdb\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21";

	int main(int argc, char **argv)
	{
	int (*exeshell)();
	exeshell = (int (*)()) shellcode;
	(int)(*exeshell)();
	}
	;Hello World GNU/Linux x86_64 Assembly
	;nasm -f elf64 -o hello_world.o hello_world.s
	;ld -o hello_world hello_world.o

	section .data
	msg db "Hello World!"

	section .text
	global _start
	_start:
	mov rax, 1 ; set syscall to size_t sys_write(unsigned int fd, const char * buf, size_t count);
	mov rdi, 1 ; set file descriptor to 1; 0 = stdin, 1 = stdout, 2 = stderr
	mov rsi, msg ; load message into rsi register
	mov rdx, 12 ; set "Hello World!" size to 12
	syscall ; call syscall
	mov rax, 60 ; set syscall to int sys_exit(int status)
	mov rdi, 0 ; set return value to 0, programm exited succesfully
	syscall ; call syscall
	;same program shellcode optimzed
	section .text
	global _start
	_start:
	jmp short ending

	main_func:

	xor rax,rax ; zero rax
	xor rdi, rdi ; zero rdi
	xor rsi, rsi ; zero rsi
	xor rdx, rdx ; zero rdx

	mov al, 1 ; set syscall to size_t sys_write(unsigned int fd, const char * buf, size_t count);
	mov dil, 1 ; set file descriptor to 1; 0 = stdin, 1 = stdout, 2 = stderr

	pop rsi ; pop "Hello World!" from stack
	mov dl, 12 ; set "Hello World!" size to 12
	syscall
	xor rax, rax ; zero rax

	mov al, 60 ; set syscall to int sys_exit(int status)
	mov dil, 0 ; set return value to 0, programm exited succesfully
	syscall

	ending:
	call main_func
	db "Hello World!"