程序集执行 /bin/bash (x64)
Assembly execve /bin/bash (x64)
我是 asm 的新手,我正在尝试对 /bin/bash 执行系统调用。但是我目前遇到以下问题:
我的代码适用于第一个参数长度小于 8 字节的任何 execve 调用,即“/bin/sh”或“/bin/ls”:
.section .data
name: .string "/bin/sh"
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/sh to the stack
pushq name
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq , %rax
#3rd arg of execve set to NULL
movq [=11=], %rsi
syscall
令我困惑的是我无法使用它
name: .string "/bin/bash"
我试图将字符串分成几部分,将“/bash”然后“/bin”推送到堆栈,似乎没有什么能让我让它工作,我得到了一个"Illegal instruction" 每次都出错。我究竟做错了什么?
非工作代码:
.section .data
name: .string "/bin/bash"
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/sh to the stack
pushq name
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq , %rax
#3rd arg of execve set to NULL
movq [=13=], %rsi
syscall
其他无效代码:
.section .data
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/bash to the stack
pushq [=14=]x68
pushq [=14=]x7361622f
pushq [=14=]x6e69622f
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq , %rax
#3rd arg of execve set to NULL
movq [=14=], %rsi
syscall
您似乎完全糊涂了,无法列出所有错误。不过,这是一个不完整的列表:
- 你将 esi 设置为零意味着
argv 是 NULL
push nullbyte to the stack 实际上是一个 NULL 指针,用于终止 argv 数组(它不是一个终止字符串的零字节)。- 你需要把文件名的地址写成
argv[0]。您不需要将字符串复制到堆栈。
这里是固定版本:
.section .data
name: .string "/bin/bash"
.section .text
.globl _start
_start:
# third argument of execve is envp, set to NULL
xor %rdx, %rdx
# push NULL to the stack, argv terminator
pushq %rdx
# first argument to execve is the file name
leaq name, %rdi
# also argv[0]
push %rdi
# second argument to execve is argv
mov %rsp, %rsi
#copy 59 to rax, defining syscall number for execve
movq , %rax
syscall
以及从代码在堆栈上创建字符串的版本,没有零字节:
.section .text
.globl _start
_start:
# third argument of execve is envp, set to NULL
xor %rdx, %rdx
# zero terminator
push %rdx
# space for string
sub , %rsp
# end is aligned to the zero terminator
movb [=11=]x2f, 7(%rsp) # /
movl [=11=]x2f6e6962, 8(%rsp) # bin/
movl [=11=]x68736162, 12(%rsp) # bash
# first argument to execve is the file name
leaq 7(%rsp), %rdi
# push NULL to the stack, argv terminator
pushq %rdx
# also argv[0]
push %rdi
# second argument to execve is argv
mov %rsp, %rsi
# copy 59 to rax, defining syscall number for execve
# avoid zero byte
xor %eax, %eax
movb , %al
syscall
我是 asm 的新手,我正在尝试对 /bin/bash 执行系统调用。但是我目前遇到以下问题:
我的代码适用于第一个参数长度小于 8 字节的任何 execve 调用,即“/bin/sh”或“/bin/ls”:
.section .data
name: .string "/bin/sh"
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/sh to the stack
pushq name
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq , %rax
#3rd arg of execve set to NULL
movq [=11=], %rsi
syscall
令我困惑的是我无法使用它
name: .string "/bin/bash"
我试图将字符串分成几部分,将“/bash”然后“/bin”推送到堆栈,似乎没有什么能让我让它工作,我得到了一个"Illegal instruction" 每次都出错。我究竟做错了什么?
非工作代码:
.section .data
name: .string "/bin/bash"
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/sh to the stack
pushq name
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq , %rax
#3rd arg of execve set to NULL
movq [=13=], %rsi
syscall
其他无效代码:
.section .data
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/bash to the stack
pushq [=14=]x68
pushq [=14=]x7361622f
pushq [=14=]x6e69622f
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq , %rax
#3rd arg of execve set to NULL
movq [=14=], %rsi
syscall
您似乎完全糊涂了,无法列出所有错误。不过,这是一个不完整的列表:
- 你将 esi 设置为零意味着
argv是NULL push nullbyte to the stack实际上是一个NULL指针,用于终止argv数组(它不是一个终止字符串的零字节)。- 你需要把文件名的地址写成
argv[0]。您不需要将字符串复制到堆栈。
这里是固定版本:
.section .data
name: .string "/bin/bash"
.section .text
.globl _start
_start:
# third argument of execve is envp, set to NULL
xor %rdx, %rdx
# push NULL to the stack, argv terminator
pushq %rdx
# first argument to execve is the file name
leaq name, %rdi
# also argv[0]
push %rdi
# second argument to execve is argv
mov %rsp, %rsi
#copy 59 to rax, defining syscall number for execve
movq , %rax
syscall
以及从代码在堆栈上创建字符串的版本,没有零字节:
.section .text
.globl _start
_start:
# third argument of execve is envp, set to NULL
xor %rdx, %rdx
# zero terminator
push %rdx
# space for string
sub , %rsp
# end is aligned to the zero terminator
movb [=11=]x2f, 7(%rsp) # /
movl [=11=]x2f6e6962, 8(%rsp) # bin/
movl [=11=]x68736162, 12(%rsp) # bash
# first argument to execve is the file name
leaq 7(%rsp), %rdi
# push NULL to the stack, argv terminator
pushq %rdx
# also argv[0]
push %rdi
# second argument to execve is argv
mov %rsp, %rsi
# copy 59 to rax, defining syscall number for execve
# avoid zero byte
xor %eax, %eax
movb , %al
syscall