This repository contains all the code used to create a minimal example of creating shellcode for RISC-V RV64G. I attempted to do this as black- box as possible using only the RISC-V documentation and source from gcc, glibc, and the linux kernel. This was dual purpose to work on furthering my understanding of hardware specifics, to learn to shellcode on a lesser known/new ISA, and to attempt to get some payloads available even before common adoption.
Inside of the src/ directory there are simple C examples
(simpleN.c), assembly examples (asmN.s), and shellcode examples
(scN.h) that are included by sctester.c and executed using a GCC
trampoline.
The reading path is not one-to-one by the numbers, instead it should be read in the following manner or as described in the coming blogpost:
| files | lesson |
|---|---|
asm1.s, asm2.s |
Learn about the basic calling conventions, linux specifics for system calls, data access |
asm3.s |
Port a program to not use the rodata section and learn about PIC |
asm4.s |
Graceful shell spawning in assembly |
sc1.h, asm5.s |
Learn about the pitfalls of shellcode and use a simple shellcode tester to check for null chars |
sc2.h, asm6.s |
Discover more pitfalls, solutions, and port the more advanced shell exec shellcode |
asm7.s |
Create a reverse shell in assembly |
asm8.s, sc3.h |
Porting the reverse shell to shellcode |
Additionally, it is extremely common for most of the implimentations of RISC-V to contain the C compressed instruction extension. For that reason I decided to add a few examples:
| files | lesson |
|---|---|
asm6c.s |
An example of some shellcode with compressed instructions and less xor |
It is expected that you have a VM to test with, the instructions for
running will be here. Once you have the VM the code can either be
compiled from the directly from the root of the repository with a simple
make in the root of the directory. This expect you to have gcc(1) and
as(1) for assembly.
Additionally the realease page should have a copy of the bin directory after a successful compilation.