Created
June 11, 2018 14:58
-
-
Save fgsahoward/ad834b6c2c67716a7d3b66cc93277b37 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # shell1_32.s - Executes a shell by calling execve | |
| # Compile and Link: | |
| # gcc -m32 -c shell1_32.s | |
| # ld -o shell1_32 -melf_i386 shell1_32.o | |
| # Starts the data section, this is where the program stores initialized | |
| # variables, and it is in a separate memory space than the .text section | |
| .data | |
| # This is the location of the program we intend to execute | |
| shell_name: | |
| .asciz "/bin/sh" | |
| # This is an argument we intend to pass to /bin/sh | |
| shell_arg: | |
| .asciz "-p" | |
| # This starts the .text section of the code, or the code section | |
| .text | |
| .global _start | |
| _start: | |
| # function prolog | |
| push %ebp | |
| mov %esp, %ebp | |
| # places a NULL pointer on the stack | |
| xor %edi, %edi | |
| push %edi | |
| # place a pointer to "/bin/sh" on the stack | |
| mov $shell_arg, %edi | |
| push %edi | |
| # place a pointer to the argument "-p" on the stack | |
| mov $shell_name, %edi | |
| push %edi | |
| # move the pointer to "/bin/sh" into %ebx (the first argument to execve) | |
| mov %edi, %ebx | |
| # move a pointer to the argv list into %ecx | |
| mov %esp, %ecx | |
| # make the envp pointer NULL | |
| xor %edx, %edx | |
| # place 11 (execve systemcall number) into %eax | |
| xor %eax, %eax | |
| mov $0xb, %eax | |
| # make the system call | |
| int $0x80 | |
| # function epilog | |
| pop %ebp | |
| ret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment