It is an example of run the syscall sys_execve without int 0x80 in the assembly code, thus, my purpose is set the stack pointer register (ESP) address in EIP register. It is assumed that 0x80cd (int 0x80 = 0xcd80, but we need it in little endian) is in the top of the stack.
The register status before the code is:
*EAX 0xb
EBX 0xffffd144 ?— '/bin//sh'
ECX 0xffffd13c —? 0xffffd144 ?— '/bin//sh'
EDX 0xffffd140 ?— 0x0
EDI 0x0
ESI 0x0
EBP 0x0
ESP 0xffffd138 ?— 0x80cd
*EIP 0x8049022 (_start+34) ?— call esp
In this moment I have the following (obviously, i know that variants of these code snippet with different registers are possible but using the same instructions):
1-
push esp
ret
2-
lea edi, [esp]
jmp edi
3-
call esp
I would like to know more code snippet to do this.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
