Can anyone explain this assembly code
This is a shellcode to exploit the bufferoverflow vulnerability. this sets the setuid(0) and spawns a shell using execve()
this is the way i have interpreted it...
3.interrupt
4.push ebx
5.push address //y this address only????
6.push address //same question
12 mov execve sys call into al
13 interrupt
Can anyone explain the entire steps clearly??
int
is the opcode for triggering a software interrupt. Software interrupts are numbered (from 0 to 255) and handled by the kernel. On Linux systems, interrupt 128 (0x80) is the conventional entry point for system calls. The kernel expects the system call arguments in the registers; in particular, the %eax register identifies which system call we are talking about.
lea
as "load effective address" but not memory access is involved; this is just a devious way of making an addition). setuid
. That system call uses one argument (the target UID), to be found in %ebx, which conveniently contains 0 at that point (it was set in the first instruction). Note: upon return, registers are unmodified, except for %eax which contains the returned value of the system call, normally 0 (if the call was a success). setuid
). execve
system call will use as second argument. cltd
is the AT&T syntax for what the Intel documentations call cdq
. Since %eax is zero at that point, this sets %edx to zero too. execve
. execve
expects three arguments, in %ebx (pointer to a string naming the file to execute), %ecx (pointer to an array of pointers to strings, which are the program arguments, the first one being a copy of the program name, to be used by the invoked program itself) and %edx (pointer to an array of pointers to strings, which are the environment variables; Linux tolerates that value to be NULL, for an empty environment), respectively. So the code first calls setuid(0)
, then calls execve("//bin/sh", x, 0)
where x
points to an array of two pointers, first one being a pointer to "//bin/sh", while the other is NULL.
This code is quite convoluted because it wants to avoid zeros: when assembled into binary opcodes, the sequence of instruction uses only non-zero bytes. For instance, if the 12th instruction had been movl $0xb,%eax
(setting the whole of %eax to 11), then the binary representation of that opcode would have contained three bytes of value 0. The lack of zero makes that sequence usable as the contents of a zero-terminated C string. This is meant for attacking buggy programs through buffer overflows, of course.
上一篇: 为什么我的选择排序代码不工作?
下一篇: 任何人都可以解释这汇编代码