代码之家  ›  专栏  ›  技术社区  ›  Goujon

组件Exeve/bin/bash(x64)

execve system-calls 64-bit assembly
  •  0
  • Goujon  · 技术社区  · 7 年前

    我是asm新手,正在尝试执行对/bin/bash的系统调用。然而,我目前遇到以下问题:

    我的代码适用于任何第一个参数长度小于8字节的execve调用,即“/bin/sh”或“/bin/ls”: 

    .section .data

    name: .string "/bin/sh"

.section .text

.globl _start

_start:
    #third argument of execve, set to NULL
    xor %rdx, %rdx 

    #push nullbyte to the stack
    pushq %rdx 

    #push /bin/sh to the stack
    pushq name 

    #copy stack to rdi, 1st arg of execve
    mov %rsp, %rdi 

    #copy 59 to rax, defining syscall number for execve  
    movq $59, %rax 

    #3rd arg of execve set to NULL
    movq $0, %rsi 

    syscall

    让我困惑的是我无法让它工作 

    name: .string "/bin/bash"

    我试图将字符串拆分为多个部分,以将q“/bash”然后“/bin”推送到堆栈中,似乎没有任何东西可以让它工作,每次都会出现“非法指令”错误。我做错了什么?

    非工作代码: 

    .section .data

    name: .string "/bin/bash"

.section .text

.globl _start

_start:
    #third argument of execve, set to NULL
    xor %rdx, %rdx 

    #push nullbyte to the stack
    pushq %rdx 

    #push /bin/sh to the stack
    pushq name 

    #copy stack to rdi, 1st arg of execve
    mov %rsp, %rdi 

    #copy 59 to rax, defining syscall number for execve  
    movq $59, %rax 

    #3rd arg of execve set to NULL
    movq $0, %rsi 

    syscall

    其他非工作代码: 

    .section .data

.section .text

.globl _start

_start:
    #third argument of execve, set to NULL
    xor %rdx, %rdx 

    #push nullbyte to the stack
    pushq %rdx 

    #push /bin/bash to the stack
    pushq $0x68
    pushq $0x7361622f
    pushq $0x6e69622f

    #copy stack to rdi, 1st arg of execve
    mov %rsp, %rdi 

    #copy 59 to rax, defining syscall number for execve  
    movq $59, %rax 

    #3rd arg of execve set to NULL
    movq $0, %rsi 

    syscall
    1 回复  |  直到 7 年前
        1
  •  5
  •   Jester    7 年前

    您似乎完全困惑了,太多了,无法列出所有错误。然而,这里有一个不完整的列表:

    1. 您将esi设置为零意味着 argv NULL
    2. push nullbyte to the stack 实际上是 无效的 用于终止的指针 argv 数组(它不是一个以字符串结尾的零字节)。
    3. 您需要将文件名的地址设置为 argv[0] . 您不需要将字符串复制到堆栈中。

    以下是固定版本: 

    .section .data

    name: .string "/bin/bash"

.section .text

.globl _start

_start:
    # third argument of execve is envp, set to NULL
    xor %rdx, %rdx 

    # push NULL to the stack, argv terminator
    pushq %rdx 

    # first argument to execve is the file name
    leaq name, %rdi

    # also argv[0]
    push %rdi

    # second argument to execve is argv
    mov %rsp, %rsi

    #copy 59 to rax, defining syscall number for execve  
    movq $59, %rax 
    syscall

    以及从代码在堆栈上创建字符串(不含零字节)的版本: 

    .section .text

.globl _start

_start:
    # third argument of execve is envp, set to NULL
    xor %rdx, %rdx 

    # zero terminator
    push %rdx

    # space for string
    sub $16, %rsp

    # end is aligned to the zero terminator
    movb $0x2f, 7(%rsp)        # /
    movl $0x2f6e6962, 8(%rsp)  # bin/
    movl $0x68736162, 12(%rsp) # bash

    # first argument to execve is the file name
    leaq 7(%rsp), %rdi

    # push NULL to the stack, argv terminator
    pushq %rdx 

    # also argv[0]
    push %rdi

    # second argument to execve is argv
    mov %rsp, %rsi

    # copy 59 to rax, defining syscall number for execve
    # avoid zero byte
    xor %eax, %eax
    movb $59, %al 
    syscall
    推荐文章
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号