RISC-V: RV64G Linux assembly and payloads from the ground up
01f044ac — terrorbyte 5 years ago
Added objdump
42f9b3bd — terrorbyte 5 years ago
Added first asm1 objdump
12a6b395 — terrorbyte 5 years ago
Added blog post figure output


browse  log 



You can also use your local clone with git send-email.

#RISC-V RV64G Linux Shellcoding

This repository contains all the code used to create a minimal example of creating shellcode for RISC-V RV64G. I attempted to do this as black- box as possible using only the RISC-V documentation and source from gcc, glibc, and the linux kernel. This was dual purpose to work on furthering my understanding of hardware specifics, to learn to shellcode on a lesser known/new ISA, and to attempt to get some payloads available even before common adoption.

#Repository Layout

Inside of the src/ directory there are simple C examples (simpleN.c), assembly examples (asmN.s), and shellcode examples (scN.h) that are included by sctester.c and executed using a GCC trampoline.

The reading path is not one-to-one by the numbers, instead it should be read in the following manner or as described in the coming blogpost:

files lesson
asm1.s, asm2.s Learn about the basic calling conventions, linux specifics for system calls, data access
asm3.s Port a program to not use the rodata section and learn about PIC
asm4.s Graceful shell spawning in assembly
sc1.h, asm5.s Learn about the pitfalls of shellcode and use a simple shellcode tester to check for null chars
sc2.h, asm6.s Discover more pitfalls, solutions, and port the more advanced shell exec shellcode
asm7.s Create a reverse shell in assembly
asm8.s, sc3.h Porting the reverse shell to shellcode

Additionally, it is extremely common for most of the implimentations of RISC-V to contain the C compressed instruction extension. For that reason I decided to add a few examples:

files lesson
asm6c.s An example of some shellcode with compressed instructions and less xor

#Usage / Building

It is expected that you have a VM to test with, the instructions for running will be here. Once you have the VM the code can either be compiled from the directly from the root of the repository with a simple make in the root of the directory. This expect you to have gcc(1) and as(1) for assembly.

Additionally the realease page should have a copy of the bin directory after a successful compilation.

#Supporting/Helpful Documents