Lately I’ve been wanting to explore some of what I call the “black magic” of infosec, reverse engineering and shellcoding. Whenever I see some posting or article that comes out on this I always become curious and bewildered at what I’m looking at because I just don’t understand it. On Twitter I’ve been seeing @SecurityTube advertise their x86_64 Assembly and Shellcoding on Linux video course, so I decided to drop some money and learn what I can from it. I’ve yet to fully finish it, but more on that later. If I want to learn something, I usually have to do that something, get the hands on experience. I’m only about a third of the way through the course, only just going through assembly basics. But I decided to take a small break and try to write some shellcode of my own. I went exploring through the Shellcode Database and found a bit of x86 shellcode that I wanted to translate over to work on an x86_64 system. After some searching, I found one that copies /etc/passwd to /tmp/outfile written by Paolo Stivanin. Because of how trivial and simple looking the shellcode was, I decided to translate it over to work on x86_64.
After a few days of constant Googling and debugging and spending more time in gdb I’d care to admit, I finally got a working bit of shellcode that works on x86_64 Linux that copies the contents of /etc/passwd to /tmp/outfile. It is sitting at 118 bytes and contains no null bytes, so you’ll be able to inject it when necessary. I know it is nothing super fancy but it works and hopefully it can be found useful to someone.
For those that are interested in dissecting the following code, it is using the sys_open, sys_read, and sys_write syscalls. This might be able to use some optimization, so if anyone finds anything please let me know!