The requirements for your shellcode are :
- Length between 31 and 40
- No zero byte (
\x00
) orstrlen
will fail - No '\n' byte (
\x0A
) orfgets
will fail - No "/bin/sh" substring
Your first instruction is push $0
so the two first bytes of your shellcode is \x6A\x00
.
The size of the buffer is 1
(strlen
stops after a null byte).
That's why you have the error your shellcode is less than 30 bytes!
.
Consider this shellcode, which is equivalent to yours, except push $1
to avoid null byte :
6A01 push $1 ;to avoid null byte
6A02 push $2
89E3 movl %esp, %ebx ;ebx now points on top of stack
31C9 xorl %ecx, %ecx ;ecx=0
B0A2 mov $162, %al ;eax=162
CD80 int $0x80 ;call sys_nanosleep because eax=162 with arguments ebx and ecx (ebx={1,2} and ecx=NULL)
31DB xorl %ebx, %ebx ;ebx=0
678D4301 leal 0x1(%ebx), %eax ;eax=1
CD80 int $0x80 ;call sys_exit because eax=1, with code 0 (ebx value)
Basically, this shellcode waits 2 seconds (and 1 nanosecond) and exits.
int 0x80
is a system call depending of eax
value, more information here
You still have a problem, the length of this shellcode is 20 bytes.
You just have to add eleven NOP
's (0x90
) at the beginning (or at the end) to fill the requirement.
Try this :
echo -e '\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x6A\x01\x6A\x02\x89\xE3\x31\xC9\xB0\xA2\xCD\x80\x31\xDB\x67\x8D\x43\x01\xCD\x80' > shellcode.bin
./runshell shellcode.bin
If the program waits 2 seconds and successfully exits (with code 0), then the shellcode was executed.
If necessary, I can explain you how to code a shellcode which permits to get the rights of runshell
program which is often the goal of this kind of exercice (and obviously the case here with the test on "/bin/sh"
).