286 0x500
; SYSCALL: write(1, msg, 14)
mov eax, 4 ; Put 4 into eax, since write is syscall #4.
mov ebx, 1 ; Put 1 into ebx, since stdout is 1.
mov ecx, msg ; Put the address of the string into ecx.
mov edx, 14 ; Put 14 into edx, since our string is 14 bytes.
int 0x80 ; Call the kernel to make the system call happen.; SYSCALL: exit(0)
mov eax, 1 ; Put 1 into eax, since exit is syscall #1.
mov ebx, 0 ; Exit with success.
int 0x80 ; Do the syscall.The instructions of this program are straightforward. For the write() syscall
to standard output, the value of 4 is put in EAX since the write() function is
system call number 4. Then, the value of 1 is put into EBX, since the first arg-
ument of write() should be the file descriptor for standard output. Next, the
address of the string in the data segment is put into ECX, and the length of the
string (in this case, 14 bytes) is put into EDX. After these registers are loaded,
the system call interrupt is triggered, which will call the write() function.
To exit cleanly, the exit() function needs to be called with a single
argument of 0. So the value of 1 is put into EAX, since exit() is system call
number 1, and the value of 0 is put into EBX, since the first and only argu-
ment should be 0. Then the system call interrupt is triggered again.
To create an executable binary, this assembly code must first be assembled
and then linked into an executable format. When compiling C code, the GCC
compiler takes care of all of this automatically. We are going to create an
executable and linking format (ELF) binary, so the global _start line shows
the linker where the assembly instructions begin.
The nasm assembler with the -f elf argument will assemble the
helloworld.asm into an object file ready to be linked as an ELF binary.
By default, this object file will be called helloworld.o. The linker program
ld will produce an executable a.out binary from the assembled object.reader@hacking:~/booksrc $ nasm -f elf helloworld.asm
reader@hacking:~/booksrc $ ld helloworld.o
reader@hacking:~/booksrc $ ./a.out
Hello, world!
reader@hacking:~/booksrc $This tiny program works, but it’s not shellcode, since it isn’t self-contained
and must be linked.0x520 The Path to Shellcode................................................................................
Shellcode is literally injected into a running program, where it takes over like
a biological virus inside a cell. Since shellcode isn’t really an executable pro-
gram, we don’t have the luxury of declaring the layout of data in memory or
even using other memory segments. Our instructions must be self-contained
and ready to take over control of the processor regardless of its current state.
This is commonly referred to as position-independent code.