shellcode: Initialize envp to NULL

This issue was discovered a while back, during one of the CTFs, and was
particularly a problem with the 32-bit shellcode.  Because the third
kernel argument register was not being set by the payload, we would
essentially pass garbage.

I'm only committing this now, as I've recently been able to reproduce
the related failure and demonstrate this patch working.  I never
actually observed the 64-bit shellcode fail for this reason on a target,
but it is also patched for correctness.

Argument 3 to execve() is the environment pointer, a pointer to array of
strings to define the process's environment variables.  Although this
argument should point to an empty array (ptr to NULL) if empty, Linux
allows the pointer itself to be NULL in this case - thus the xor of the
register.

Signed-off-by: Malfurious <m@lfurio.us>

2 files changed, 2 insertions, 0 deletions

diff --git a/templates/shellcode/shell32.asm b/templates/shellcode/shell32.asm
index d12910f..5ff2e12 100644
--- a/templates/shellcode/shell32.asm
+++ b/templates/shellcode/shell32.asm
@@ -5,6 +5,7 @@ global _start
 
 _start:
     xor     ecx, ecx
+    xor     edx, edx
     push    0xb
     pop     eax
     push    ecx
diff --git a/templates/shellcode/shell64.asm b/templates/shellcode/shell64.asm
index a6d4626..2353b6f 100644
--- a/templates/shellcode/shell64.asm
+++ b/templates/shellcode/shell64.asm
@@ -5,6 +5,7 @@ global _start
 
 _start:
     xor     rsi, rsi
+    xor     rdx, rdx
     push    rsi
     mov     rdi, 0x68732f2f6e69622f
     push    rdi