我是asm的新手,我正在尝试对/ bin / bash执行系统调用。但是我目前遇到以下问题:
我的代码适用于第一个参数长度小于8个字节的任何execve调用,即“/ bin / sh”或“/ bin / ls”:
.section .data
name: .string "/bin/sh"
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/sh to the stack
pushq name
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq $59, %rax
#3rd arg of execve set to NULL
movq $0, %rsi
syscall
让我感到困惑的是,我无法使用
name: .string "/bin/bash"
我试图将字符串分成几部分,将pushq“/ bash”然后“/ bin”分成堆栈,似乎没有任何东西可以让它工作,每次都会出现“非法指令”错误。我究竟做错了什么?
非工作代码:
.section .data
name: .string "/bin/bash"
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/sh to the stack
pushq name
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq $59, %rax
#3rd arg of execve set to NULL
movq $0, %rsi
syscall
其他非工作代码:
.section .data
.section .text
.globl _start
_start:
#third argument of execve, set to NULL
xor %rdx, %rdx
#push nullbyte to the stack
pushq %rdx
#push /bin/bash to the stack
pushq $0x68
pushq $0x7361622f
pushq $0x6e69622f
#copy stack to rdi, 1st arg of execve
mov %rsp, %rdi
#copy 59 to rax, defining syscall number for execve
movq $59, %rax
#3rd arg of execve set to NULL
movq $0, %rsi
syscall
答案 0 :(得分:4)
你似乎完全困惑,列出所有错误太多了。不过,这里有一个不完整的清单:
argv
为NULL
push nullbyte to the stack
实际上是一个NULL
指针,用于终止argv
数组(它不是终止字符串的零字节)。argv[0]
。您不需要将字符串复制到堆栈。这是一个固定版本:
.section .data
name: .string "/bin/bash"
.section .text
.globl _start
_start:
# third argument of execve is envp, set to NULL
xor %rdx, %rdx
# push NULL to the stack, argv terminator
pushq %rdx
# first argument to execve is the file name
leaq name, %rdi
# also argv[0]
push %rdi
# second argument to execve is argv
mov %rsp, %rsi
#copy 59 to rax, defining syscall number for execve
movq $59, %rax
syscall
一个从代码创建堆栈字符串的版本,没有零字节:
.section .text
.globl _start
_start:
# third argument of execve is envp, set to NULL
xor %rdx, %rdx
# zero terminator
push %rdx
# space for string
sub $16, %rsp
# end is aligned to the zero terminator
movb $0x2f, 7(%rsp) # /
movl $0x2f6e6962, 8(%rsp) # bin/
movl $0x68736162, 12(%rsp) # bash
# first argument to execve is the file name
leaq 7(%rsp), %rdi
# push NULL to the stack, argv terminator
pushq %rdx
# also argv[0]
push %rdi
# second argument to execve is argv
mov %rsp, %rsi
# copy 59 to rax, defining syscall number for execve
# avoid zero byte
xor %eax, %eax
movb $59, %al
syscall