Thread: writing opcodes

    #1
  1. not a fan of fascism (n00b)
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Feb 2003
    Location
    ct
    Posts
    2,756
    Rep Power
    95

    writing opcodes


    when you want to write a shell code string, normally we do this to execute /bin/sh:
    Code:
    08049376 <op2>:
     8049376:       31 c0                   xor    %eax,%eax
     8049378:       50                      push   %eax
    /* push //sh onto the stack
     8049379:       68 2f 2f 73 68          push   $0x68732f2f
    /* push /bin onto the stack
     804937e:       68 2f 62 69 6e          push   $0x6e69622f
     8049383:       89 e3                   mov    %esp,%ebx
     8049385:       50                      push   %eax
     8049386:       53                      push   %ebx
     8049387:       89 e1                   mov    %esp,%ecx
     8049389:       99                      cltd
     804938a:       b0 0b                   mov    $0xb,%al
     804938c:       cd 80                   int    $0x80
    but lets say instead i want to execute /bin/ship
    Code:
    0804935c <op_codes>:
     804935c:       31 c0                   xor    %eax,%eax
     804935e:       50                      push   %eax
    /* here we only can push /shi */
     804935f:       68 2f 73 68 69          push   $0x6968732f
    /* now what is going on? what happens to /bin? /*
     8049364:       74 68                   je     80493ce <_DYNAMIC+0x3a>
     8049366:       2f                      das
     8049367:       62 69 6e                bound  
    %ebp,0x6e(%ecx)
    /* now back to normal  */
     804936a:       89 e3                   mov    %esp,%ebx
     804936c:       50                      push   %eax
     804936d:       53                      push   %ebx
     804936e:       89 e1                   mov    %esp,%ecx
     8049370:       99                      cltd
     8049371:       b0 0b                   mov    $0xb,%al
     8049373:       cd 80                   int    $0x80
    * the string "/bin/ship" is 9 bytes long. it cant be pushed onto the stack with only 2 pushes. instead something different happens, but i dont understand what ?
  2. #2
  3. not a fan of fascism (n00b)
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Feb 2003
    Location
    ct
    Posts
    2,756
    Rep Power
    95
    what you have to do is push more stuff onto the stack. instead of pushing "/bin" and then "//sh", you push "bin" -> "////" -> "pass" and bam its magic:D
    Last edited by infamous41md; June 8th, 2003 at 11:32 PM.

IMN logo majestic logo threadwatch logo seochat tools logo