段故障组件的i386:x86_64的 [英] Segmentation fault assembly i386:x86_64
问题描述
我工作在i386:64位x86和我正在写一个简单的程序来启动一个shell。贝娄是我的组装。
I'm working on i386:x86_64 and I'm writing a simple program to start a shell. Bellow is my assembly.
.section .data
.section .text
.globl _start
_start:
xor %rax, %rax
mov $70, %al
xor %rbx, %rbx
xor %rcx, %rcx
int $0x80
jmp ender
starter:
pop %rbx
xor %rax, %rax
mov %al, 0x07(%rbx)
mov %rbx, 0x08(%rbx)
mov %rax, 0x0c(%rbx)
mov $11, %al
lea 0x08(%rbx), %rcx
lea 0x0c(%rbx), %rdx
int $0x80
ender:
call starter
.string "/bin/sh"
问题是,我不断收到分段错误。当我使用objdump的-D my_prog输出是这样的...
The problem is that I keep getting a segmentation fault. When I use objdump -D my_prog the output is this ...
.text段的拆卸:
Disassembly of section .text:
0000000000400078 <_start>:
400078: 48 31 c0 xor %rax,%rax
40007b: b0 46 mov $0x46,%al
40007d: 48 31 db xor %rbx,%rbx
400080: 48 31 c9 xor %rcx,%rcx
400083: cd 80 int $0x80
400085: eb 1b jmp 4000a2 <ender>
0000000000400087 <starter>:
400087: 5b pop %rbx
400088: 48 31 c0 xor %rax,%rax
40008b: 88 43 07 mov %al,0x7(%rbx)
40008e: 48 89 5b 08 mov %rbx,0x8(%rbx)
400092: 48 89 43 0c mov %rax,0xc(%rbx)
400096: b0 0b mov $0xb,%al
400098: 48 8d 4b 08 lea 0x8(%rbx),%rcx
40009c: 48 8d 53 0c lea 0xc(%rbx),%rdx
4000a0: cd 80 int $0x80
00000000004000a2 <ender>:
4000a2: e8 e0 ff ff ff callq 400087 <starter>
4000a7: 2f (bad)
4000a8: 62 (bad)
4000a9: 69 .byte 0x69
4000aa: 6e outsb %ds:(%rsi),(%dx)
4000ab: 2f (bad)
4000ac: 73 68 jae 400116 <ender+0x74>
我要采取的猜测,并说这是被标记(坏),这导致了赛格故障地址。我知道,这种情况正在发生,因为它想纪念品获得纪念品不分配给它。我真的不来肯定我应该做的。我运行Linux。
I'm going to take guess and say that it is addresses that are marked (bad) which is causing the seg fault. I know this is happening because it wants mem access to mem not allocated to it. I'm not really to sure what I should do. I am running Linux.
感谢您的帮助!
推荐答案
这是因为段错误您正试图将数据写入到code(的.text)的内存区域。可执行文件code区几乎总是标记为只读。
It's segfaulting because you are attempting to write data to a code (.text) area of memory. Executable code areas are almost always marked as read-only.
这是你的code。与一些补充意见。
Here's your code with some additional comments.
.section .data
.section .text
.globl _start
_start:
xor %rax, %rax
mov $70, %al
xor %rbx, %rbx
xor %rcx, %rcx
; call sys_setreuid(0,0)
int $0x80
jmp ender
starter:
; take the return address off the stack
; rbx will point to the /bin/sh string after the call instruction
pop %rbx
; zero rax
xor %rax, %rax
; save a zero byte to the end of the /bin/sh string (it's 7 characters long)...
; (it will segfault here because you're writing to a read-only area)
mov %al, 0x07(%rbx)
; ...followed by a pointer to the string...
mov %rbx, 0x08(%rbx)
; ...followed by another zero value
mov %rax, 0x0c(%rbx)
; setup the parameters for a sys_execve call
mov $11, %al
lea 0x08(%rbx), %rcx
lea 0x0c(%rbx), %rdx
int $0x80
; what happens when int 0x80 returns?
; you should do something here or starter will be called again
ender:
call starter
.string "/bin/sh"
有与code等问题。试想一下:
There are other issues with the code. Consider:
mov %rbx, 0x08(%rbx)
mov %rax, 0x0c(%rbx)
%RBX是一个8字节的值,而是code只给它的空间,4个字节的价值(的0x0C-0x08的= 4)。
如果你想获得它的工作,你需要将字符串移入。数据区(带后,一些额外的空间),并更改code,使其64位友好。
%rbx is an 8 byte value, but the code only gives it 4 bytes worth of space (0x0c-0x08 = 4). If you want to get it working, you'll need to move the string into a .data area (with some additional space after it) and change the code to make it 64-bit friendly.
这篇关于段故障组件的i386:x86_64的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
