Graphics Programs Reference
In-Depth Information
passed as environment to the new program. Both argv and envp must be
terminated by a null pointer. The argument vector and environment can
be accessed by the called program's main function, when it is defined
as int main(int argc, char *argv[], char *envp[]).
The first argument of the filename should be a pointer to the string
"/bin/sh"
, since this is what we want to execute. The environment array—
the third argument—can be empty, but it still need to be terminated with a
32-bit null pointer. The argument array—the second argument—must be null-
terminated, too; it must also contain the string pointer (since the zeroth
argument is the name of the running program). Done in C, a program
making this call would look like this:
exec_shell.c
#include <unistd.h>
int main() {
char filename[] = "/bin/sh\x00";
char **argv, **envp; // Arrays that contain char pointers
argv[0] = filename; // The only argument is filename.
argv[1] = 0; // Null terminate the argument array.
envp[0] = 0; // Null terminate the environment array.
execve(filename, argv, envp);
}
To do this in assembly, the argument and environment arrays need to be
built in memory. In addition, the
"/bin/sh"
string needs to be terminated with
a null byte. This must be built in memory as well. Dealing with memory in
assembly is similar to using pointers in C. The
lea
instruction, whose name
stands for
load effective address
, works like the
address-of
operator in C.
Instruction Description
lea <dest>, <source>
Load the effective address of the source operand into the destination
operand.
With Intel assembly syntax, operands can be dereferenced as pointers if
they are surrounded by square brackets. For example, the following instruction
in assembly will treat EBX+12 as a pointer and write
eax
to where it's pointing.
89 43 0C mov [ebx+12],eax
The following shellcode uses these new instructions to build the
execve()
arguments in memory. The environment array is collapsed into the end of
the argument array, so they share the same 32-bit null terminator.
