We finish the function
call with our exit(0) system call, which is simplified because ebx already contains
the value 0x0.
Chapter 10: Writing Linux Shellcode
217
PART III
Assemble, Link, and Test
As usual, assemble the source file with nasm, link the file with ld, then execute the
binary:
$ nasm -f elf setreuid.asm
$ ld -o setreuid setreuid.o
$ ./setreuid
Verify with strace
Once again, it is difficult to tell what the program did; strace to the rescue:
0
setreuid(0, 0) = 0
_exit(0) = ?
Ah, just as we expected!
Shell-Spawning Shellcode with execve
There are several ways to execute a program on Linux systems. One of the most widely
used methods is to call the execve system call. For our purpose, we will use execve to execute
the /bin/sh program.
execve Syscall
As discussed in the man page at the beginning of this chapter, if we wish to execute the
/bin/sh program, we need to call the system call as follows:
char * shell[2]; //set up a temp array of two strings
shell[0]="/bin/sh"; //set the first element of the array to "/bin/sh"
shell[1]="0"; //set the second element to NULL
execve(shell[0], shell , NULL) //actual call of execve
where the second parameter is a two-element array containing the string ???/bin/sh??? and
terminated with a NULL.
Pages:
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419