从大会sys_execve系统调用 [英] sys_execve system call from Assembly
问题描述
asm_execve.s:
asm_execve.s:
.section .data
file_to_run:
.ascii "/bin/sh"
.section .text
.globl main
main:
pushl %ebp
movl %esp, %ebp
subl $0x8, %esp # array of two pointers. array[0] = file_to_run array[1] = 0
movl file_to_run, %edi
movl %edi, -0x4(%ebp)
movl $0, -0x8(%ebp)
movl $11, %eax # sys_execve
movl file_to_run, %ebx # file to execute
leal -4(%ebp), %ecx # command line parameters
movl $0, %edx # environment block
int $0x80
leave
ret
生成文件:
NAME = asm_execve
$(NAME) : $(NAME).s
gcc -o $(NAME) $(NAME).s
程序被执行,但sys_execve不叫:
Program is executed, but sys_execve is not called:
alex@alex32:~/project$ make
gcc -o asm_execve asm_execve.s
alex@alex32:~/project$ ./asm_execve
alex@alex32:~/project$
预期成果是:
alex@alex32:~/project$ ./asm_execve
$ exit
alex@alex32:~/project$
本汇编程序应该像下面的C code的工作:
This Assembly program is supposed to work like the following C code:
char *data[2];
data[0] = "/bin/sh";
data[1] = NULL;
execve(data[0], data, NULL);
一些错误的系统调用的参数?
Something wrong in system call parameters?
推荐答案
的的execve
系统调用的是的调用,但你确实传递它坏的参数。
The execve
system call is being called, but you are indeed passing it bad parameters.
(您可以通过运行可执行 strace的
<看到这/ A>)
(You can see this by running your executable using strace
.)
有三个问题:
-
.ascii
不0终止字符串。 (你可能会得到幸运的,因为没有什么在这个例子中你的。数据
部分跟随它,但是这不能保证......)加个0,也可以使用.asciz
(或.string
)代替。
.ascii
does not 0-terminate the string. (You might get lucky, as there is nothing following it in your.data
section in this example, but that's not guaranteed...) Add a 0, or use.asciz
(or.string
) instead.
MOVL file_to_run,%EDI
移动值的指出的由 file_to_run
符号到%EDI
,即第4个字节的字符串( 0x6e69622f
)。在地址的字符串是符号本身只值,所以你需要使用 $
preFIX为文字值: MOVL $ file_to_run,EDI%
。同样的,你需要说 MOVL $ file_to_run,EBX%
几行进一步下跌。 (这是AT&放大器之间的混淆的常见原因;!T语法和Intel语法)
movl file_to_run, %edi
moves the value pointed to by the file_to_run
symbol into %edi
, i.e. the first 4 bytes of the string (0x6e69622f
). The address of the string is just the value of the symbol itself, so you need to use the $
prefix for literal values: movl $file_to_run, %edi
. Similarly, you need to say movl $file_to_run, %ebx
a few lines further down. (This is a common source of confusion between AT&T syntax and Intel syntax!)
参数被放置在错误的顺序在堆栈上: -0x8(%EBP)
比低地址 -0x4 (EBP%)
。因此命令字符串的地址应写入 -0x8(%EBP)
0应写入 -0x4(%EBP)
和莱亚尔
指令应莱亚尔-8(%EBP),ECX%
。
The parameters are placed on the stack in the wrong order: -0x8(%ebp)
is a lower address than -0x4(%ebp)
. So the address of the command string should be written to -0x8(%ebp)
, the 0 should be written to -0x4(%ebp)
, and the leal
instruction should be leal -8(%ebp), %ecx
.
固定code:
.section .data
file_to_run:
.asciz "/bin/sh"
.section .text
.globl main
main:
pushl %ebp
movl %esp, %ebp
subl $0x8, %esp # array of two pointers. array[0] = file_to_run array[1] = 0
movl $file_to_run, %edi
movl %edi, -0x8(%ebp)
movl $0, -0x4(%ebp)
movl $11, %eax # sys_execve
movl $file_to_run, %ebx # file to execute
leal -8(%ebp), %ecx # command line parameters
movl $0, %edx # environment block
int $0x80
leave
ret
这篇关于从大会sys_execve系统调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!