We have used the instruction mov al, 0x01 to
eliminate NULL bytes. The instruction move eax, 0x01 translates to hex B8 01 00 00 00
because the instruction automatically pads to 4 bytes. In our case, we only need to copy
1 byte, so the 8-bit equivalent of eax was used instead.
NOTE If you xor a number with itself, you get zero. This is preferable to
using something like move ax, 0, because that operation leads to NULL bytes
in the opcodes, which will terminate our shellcode when we place it into a
string.
In the next section, we will put the pieces together.
Assemble, Link, and Test
Once we have the assembly file, we can assemble it with nasm, link it with ld, then execute
the file as shown:
$nasm -f elf exit.asm
$ ld exit.o -o exit
$ ./exit
Not much happened, because we simply called exit(0), which exited the process
politely. Luckily for us, there is another way to verify.
Chapter 10: Writing Linux Shellcode
215
PART III
Gray Hat Hacking: The Ethical Hacker??™s Handbook
216
Verify with strace
As in our previous example, you may need to verify the execution of a binary to ensure
the proper system calls were executed. The strace tool is helpful:
0
_exit(0) = ?
As we can see, the _exit(0) syscall was executed! Now let??™s try another system call.
Pages:
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417