This repository contains all the code used to create a minimal example of creating shellcode for RISC-V RV64G. I attempted to do this as black- box as possible using only the RISC-V documentation and source from gcc, glibc, and the linux kernel. This was dual purpose to work on furthering my understanding of hardware specifics, to learn to shellcode on a lesser known/new ISA, and to attempt to get some payloads available even before common adoption.
Inside of the
src/ directory there are simple C examples
simpleN.c), assembly examples (
asmN.s), and shellcode examples
scN.h) that are included by
sctester.c and executed using a GCC
The reading path is not one-to-one by the numbers, instead it should be read in the following manner or as described in the coming blogpost:
||Learn about the basic calling conventions, linux specifics for system calls, data access|
||Port a program to not use the rodata section and learn about PIC|
||Graceful shell spawning in assembly|
||Learn about the pitfalls of shellcode and use a simple shellcode tester to check for null chars|
||Discover more pitfalls, solutions, and port the more advanced shell exec shellcode|
||Create a reverse shell in assembly|
||Porting the reverse shell to shellcode|
Additionally, it is extremely common for most of the implimentations of RISC-V to contain the C compressed instruction extension. For that reason I decided to add a few examples:
||An example of some shellcode with compressed instructions and less xor|
It is expected that you have a VM to test with, the instructions for
running will be here. Once you have the VM the code can either be
compiled from the directly from the root of the repository with a simple
make in the root of the directory. This expect you to have
as(1) for assembly.
Additionally the realease page should have a copy of the bin directory after a successful compilation.