Errata:
- After "So as we can see there is not much to the
execve()
system call. All we need
to do is:", the steps are typo'ed. It should go:
- Copy 0xb into the EAX register
- Copy the address of "/bin/sh" into the EBX register
- Copy the address of the address of "/bin/sh" into the
ECX register
- The same issue exists in the following list (the one
following "Our list of steps is now")
- When considering the arguments to execve(), the
paper is not consistent about what goes in %edx. In the
original disassembly, the 0 word is moved into %edx (and where it says
"Copy the address of the null pointer into %edx" is a typo). In
the shellcode, %edx gets the address of a memory word that
contains 0. (And to be clear, %edx and EDX refer to the same
thing in the paper.)