程序集执行/bin/bash (x64) [英] Assembly execve /bin/bash (x64)
问题描述
我是 asm 的新手,我正在尝试对/bin/bash 执行系统调用.但是我目前遇到以下问题:
I am new to asm and I am trying to execute a syscall to /bin/bash. However I am currently encountering the following problem:
我的代码适用于第一个参数长度小于 8 个字节的任何 execve 调用,即/bin/sh"或/bin/ls":
My code works for any execve call whose 1st argument length is less than 8 bytes, i.e "/bin/sh" or "/bin/ls" :
.section .data
name: .string "/bin/sh"
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/sh to the stack
pushq name
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq $59, %rax
#3rd arg of execve set to NULL
movq $0, %rsi
syscall
令我困惑的是我无法使用它
What puzzles me is that I cannot get it to work with
name: .string "/bin/bash"
我试图将字符串分成几部分,将/bash"然后/bin"pushq 到堆栈,似乎没有任何东西可以让它工作,并且每次我都会收到非法指令"错误.我究竟做错了什么?
I tried to split the string in parts, to pushq "/bash" then "/bin" to the stack, nothing seems to allows me to have it working and I get an "Illegal instruction" error every time. What am I doing wrong?
非工作代码:
.section .data
name: .string "/bin/bash"
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/sh to the stack
pushq name
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq $59, %rax
#3rd arg of execve set to NULL
movq $0, %rsi
syscall
其他非工作代码:
.section .data
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/bash to the stack
pushq $0x68
pushq $0x7361622f
pushq $0x6e69622f
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq $59, %rax
#3rd arg of execve set to NULL
movq $0, %rsi
syscall
推荐答案
您似乎完全糊涂了,无法列出所有错误.不过,这里有一个不完整的列表:
You seem to be totally confused, too much to list all the errors. Nevertheless, here is an incomplete list:
- 您将 esi 设置为零意味着
argv是NULL push nullbyte to the stack实际上是一个NULL指针,用于终止argv数组(它不是一个终止字符串的零字节).- 您需要将文件名的地址设为
argv[0].您不需要将字符串复制到堆栈中.
- you set esi to zero meaning
argvisNULL push nullbyte to the stackis actually aNULLpointer for terminating theargvarray (it's a not a zero byte terminating a string).- You need to put the address of the file name as
argv[0]. You do not need to copy the string to the stack.
这是一个固定版本:
.section .data
name: .string "/bin/bash"
.section .text
.globl _start
_start:
# third argument of execve is envp, set to NULL
xor %rdx, %rdx
# push NULL to the stack, argv terminator
pushq %rdx
# first argument to execve is the file name
leaq name, %rdi
# also argv[0]
push %rdi
# second argument to execve is argv
mov %rsp, %rsi
#copy 59 to rax, defining syscall number for execve
movq $59, %rax
syscall
还有一个从代码在堆栈上创建字符串的版本,没有零字节:
And a version that creates the string on the stack from code, without zero bytes:
.section .text
.globl _start
_start:
# third argument of execve is envp, set to NULL
xor %rdx, %rdx
# zero terminator
push %rdx
# space for string
sub $16, %rsp
# end is aligned to the zero terminator
movb $0x2f, 7(%rsp) # /
movl $0x2f6e6962, 8(%rsp) # bin/
movl $0x68736162, 12(%rsp) # bash
# first argument to execve is the file name
leaq 7(%rsp), %rdi
# push NULL to the stack, argv terminator
pushq %rdx
# also argv[0]
push %rdi
# second argument to execve is argv
mov %rsp, %rsi
# copy 59 to rax, defining syscall number for execve
# avoid zero byte
xor %eax, %eax
movb $59, %al
syscall
这篇关于程序集执行/bin/bash (x64)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
