SHOW:
|
|
- or go back to the newest paste.
1 | - | .section .data |
1 | + | #include <stdio.h> |
2 | - | message: |
2 | + | #include <fcntl.h> |
3 | - | .ascii "Hola Mundo\n" |
3 | + | #include <sys/mman.h> |
4 | - | len = . - message |
4 | + | #include <sys/types.h> |
5 | #include <unistd.h> | |
6 | - | .section .text |
6 | + | #include <stdlib.h> |
7 | - | .globl _start |
7 | + | #include <assert.h> |
8 | - | _start: |
8 | + | |
9 | - | #write mesaje to stdout |
9 | + | /* Shellcode testbed |
10 | - | movl $len, %edx # LEN |
10 | + | * |
11 | - | movl $message, %ecx # BUFFER |
11 | + | * man mmap: |
12 | - | movl $1, %ebx # FD |
12 | + | * mmap() creates a new mapping in the virtual address space of the call- |
13 | - | movl $4, %eax # WRITE |
13 | + | * ing process. The starting address for the new mapping is specified |
14 | - | int $0x80 # SYSCALL |
14 | + | * in addr. The length argument specifies the length of the mapping. |
15 | - | #exit |
15 | + | * |
16 | - | movl $0, %ebx # RETVALUE |
16 | + | * */ |
17 | - | movl $1, %eax # EXIT |
17 | + | int |
18 | - | int $0x80 # SYSCALL |
18 | + | main (int argc, char *argv[]) |
19 | { | |
20 | void *p; | |
21 | int fd; | |
22 | off_t size; | |
23 | ||
24 | if (argc != 2) | |
25 | { | |
26 | printf ("Usage:\n\t%s shellcode.bin\n", argv[0]); | |
27 | exit (-1); | |
28 | } | |
29 | ||
30 | //Open tha file | |
31 | fd= open (argv[1], O_RDONLY); | |
32 | assert ( fd != -1); | |
33 | //Read the size | |
34 | size = lseek (fd, 0, SEEK_END); | |
35 | lseek (fd, 0, SEEK_SET); | |
36 | assert ( size != 0); | |
37 | //Allocates a virtual memory map RWX | |
38 | p = mmap (NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE, | |
39 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); | |
40 | printf ("Memory@%p\n", p); | |
41 | ||
42 | //Reads content of the "binary" file into mem | |
43 | assert(size == read (fd, p, size)); | |
44 | ||
45 | //Close the file so the shellcode inherits only 0,1,2 | |
46 | close (fd); | |
47 | ||
48 | //Call the first instruction in mem | |
49 | printf ("Passing control to the shellcode...\n"); | |
50 | ((void (*)()) p) (); | |
51 | printf ("The shellcode has returned to main!\n"); | |
52 | exit (-1); | |
53 | } |