程序集execve / bin / bash(x64)

时间:2017-12-20 00:08:45

标签: assembly 64-bit system-calls execve

我是asm的新手,我正在尝试对/ bin / bash执行系统调用。但是我目前遇到以下问题:

我的代码适用于第一个参数长度小于8个字节的任何execve调用,即“/ bin / sh”或“/ bin / ls”:

.section .data

    name: .string "/bin/sh"

.section .text

.globl _start

_start:
    #third argument of execve, set to NULL
    xor %rdx, %rdx 

    #push nullbyte to the stack
    pushq %rdx 

    #push /bin/sh to the stack
    pushq name 

    #copy stack to rdi, 1st arg of execve
    mov %rsp, %rdi 

    #copy 59 to rax, defining syscall number for execve  
    movq $59, %rax 

    #3rd arg of execve set to NULL
    movq $0, %rsi 

    syscall

让我感到困惑的是,我无法使用

name: .string "/bin/bash"

我试图将字符串分成几部分,将pushq“/ bash”然后“/ bin”分成堆栈,似乎没有任何东西可以让它工作,每次都会出现“非法指令”错误。我究竟做错了什么?

非工作代码:

.section .data

    name: .string "/bin/bash"

.section .text

.globl _start

_start:
    #third argument of execve, set to NULL
    xor %rdx, %rdx 

    #push nullbyte to the stack
    pushq %rdx 

    #push /bin/sh to the stack
    pushq name 

    #copy stack to rdi, 1st arg of execve
    mov %rsp, %rdi 

    #copy 59 to rax, defining syscall number for execve  
    movq $59, %rax 

    #3rd arg of execve set to NULL
    movq $0, %rsi 

    syscall

其他非工作代码:

.section .data

.section .text

.globl _start

_start:
    #third argument of execve, set to NULL
    xor %rdx, %rdx 

    #push nullbyte to the stack
    pushq %rdx 

    #push /bin/bash to the stack
    pushq $0x68
    pushq $0x7361622f
    pushq $0x6e69622f

    #copy stack to rdi, 1st arg of execve
    mov %rsp, %rdi 

    #copy 59 to rax, defining syscall number for execve  
    movq $59, %rax 

    #3rd arg of execve set to NULL
    movq $0, %rsi 

    syscall

1 个答案:

答案 0 :(得分:4)

你似乎完全困惑,列出所有错误太多了。不过,这里有一个不完整的清单:

  1. 您将esi设置为零意味着argvNULL
  2. push nullbyte to the stack实际上是一个NULL指针,用于终止argv数组(它不是终止字符串的零字节)。
  3. 您需要将文件名的地址设为argv[0]。您不需要将字符串复制到堆栈。
  4. 这是一个固定版本:

    .section .data
    
        name: .string "/bin/bash"
    
    .section .text
    
    .globl _start
    
    _start:
        # third argument of execve is envp, set to NULL
        xor %rdx, %rdx 
    
        # push NULL to the stack, argv terminator
        pushq %rdx 
    
        # first argument to execve is the file name
        leaq name, %rdi
    
        # also argv[0]
        push %rdi
    
        # second argument to execve is argv
        mov %rsp, %rsi
    
        #copy 59 to rax, defining syscall number for execve  
        movq $59, %rax 
        syscall
    

    一个从代码创建堆栈字符串的版本,没有零字节:

    .section .text
    
    .globl _start
    
    _start:
        # third argument of execve is envp, set to NULL
        xor %rdx, %rdx 
    
        # zero terminator
        push %rdx
    
        # space for string
        sub $16, %rsp
    
        # end is aligned to the zero terminator
        movb $0x2f, 7(%rsp)        # /
        movl $0x2f6e6962, 8(%rsp)  # bin/
        movl $0x68736162, 12(%rsp) # bash
    
        # first argument to execve is the file name
        leaq 7(%rsp), %rdi
    
        # push NULL to the stack, argv terminator
        pushq %rdx 
    
        # also argv[0]
        push %rdi
    
        # second argument to execve is argv
        mov %rsp, %rsi
    
        # copy 59 to rax, defining syscall number for execve
        # avoid zero byte
        xor %eax, %eax
        movb $59, %al 
        syscall