Notice the compiler added a complimentary call to exit_group
(0xfc or syscall 252). The exit_group() call appears to be included to ensure that the
process leaves its containing thread group, but there is no documentation to be found
online. This was done by the wonderful people who packaged libc for this particular distribution
of Linux. In this case, that may have been appropriate??”we cannot have extra
function calls introduced by the compiler for our shellcode. This is the reason that you
will need to learn to write your shellcode in assembly directly.
Move to Assembly
By looking at the preceding assembly, you will notice that there is no black magic here.
In fact, you could rewrite the exit(0) function call by simply using the assembly:
$cat exit.asm
section .text ; start code section of assembly
global _start
_start: ; keeps the linker from complaining or guessing
xor eax, eax ; shortcut to zero out the eax register (safely)
xor ebx, ebx ; shortcut to zero out the ebx register, see note
mov al, 0x01 ; only affects one bye, stops padding of other 24 bits
int 0x80 ; call kernel to execute syscall
We have left out the exit_group(0) syscall as it is not necessary.
Later it will become important that we eliminate NULL bytes from our hex opcodes,
as they will terminate strings prematurely.
Pages:
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416