shellcode

Going through http://hackoftheday.securitytube.net/2013/04/demystifying-execve-shellcode-stack.html I understood the nasm program which invokes execve and was trying to re-write it. Some background information: int execve(const char *filename, char *const argv[], char *const envp[]); So, eax = 11 (function call number for execve ), ebx should point to char* filename , ecx should point to argv[] (which will be the same as ebx since the first argument is the *filename itself e.g. "/bin/sh" in this case), and edx will point to envp[] ( null in this case). Original nasm code: global _start section

I just tried the following code snippet for shellcode testing purposes:- #include<iostream> using namespace std; char sc[] = ""; #i've removed the shellcode int main() { int (*func)(); func = (int(*)())sc; (int)(*func)(); } I get a build error on compilation :- ------ Build started: Project: shellcoderunner, Configuration: Debug Win32 ------ Build started 10/15/2011 12:51:16 PM. InitializeBuildStatus: Touching "Debug\shellcoderunner.unsuccessfulbuild". ClCompile: blah.cpp c:\users\reverser\documents\visual studio 2010\projects\shellcoderunner\shellcoderunner\blah.cpp(7): error C2440: 'type

Below, I written x64 assembly that prints 'Hello, World!' from a syscall on Mac OS X 10.8. It assembles and runs perfect when executed standalone. ; Assemble and link with: ; nasm -f macho64 -o HelloWorld.o HelloWorld.s ; ld -arch x86_64 -o HelloWorld HelloWorld.o global start section .text start: push rbp mov rbp, rsp jmp short String xor rdi, rdi mov di, 0x01 StringRet: pop rsi xor rdx, rdx mov dl, 0xE mov r8b, 0x02 shl r8, 24 or r8, 0x04 mov rax, r8 syscall ; System call for write(4) xor edi, edi mov r8b, 0x02 shl r8, 24 or r8, 0x01 mov rax, r8 syscall ; System call for exit(1) mov rsp, rbp

I am confused with the syscall of __NR_execve . When I learn linux system call. The correct way that I know to use execve is like this: char *sc[2]; sc[0]="/bin/sh"; sc[1]= NULL; execve(sc[0],sc,NULL); Then the function execve will call syscall() to get into system kernel with putting the arguments on Registers EAX , EBX , ECX and EDX . However, It still succeed if I use execve("/bin/sh",NULL,NULL); But if I replace "/bin/sh" with "/bin/ls" ，it fail with: A NULL argv[0] was passed through an exec system call. I wonder why "/bin/sh" can be executed successfully without enough parameters while "

Could anybody help me explaining these lines of code? char code[] = "paste your shellcode here"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); } The code that you have here is an example of how to create a function pointer to an arbitrary slice of data and then call it. In a very simple sense we are allocating an array of bytes (char []) into which the binary shellcode payload is pasted, typically as escaped hex values. This line, int (*func)(); , declares a function pointer that will return an integer. This is typical because most code will have