我正在尝试使用以下asm代码编写shellcode,但我总是在movl%esi,0x8(%esi)得到一个段错误,任何想法为什么?实际上只运行movl%esi,单独使用0x8(%esi)会产生seg错误。
void main() {
__asm__(
"mov $0x80, %edx\n\t"
"jmp l1\n\t"
"l2:popl %esi\n\t"
"movl %esi,0x8(%esi)\n\t"
"movb $0x0,0x7(%esi)\n\t"
"movl $0x0,0xc(%esi)\n\t"
"movl $0xb,%eax\n\t"
"movl %esi,%ebx\n\t"
"leal 0x8(%esi),%ecx\n\t"
"leal 0xc(%esi),%edx\n\t"
"int $0x80\n\t"
"movl $0x1, %eax\n\t"
"movl $0x0, %ebx\n\t"
"int $0x80\n\t"
"l1:call l2\n\t"
".string \"/bin/sh\"\n\t"
);
}
答案 0 :(得分:4)
问题是,正如user786653所说,代码段不可写。不过你可以写在堆栈上:
subl $0x8, %esp # make room
movl $0x0, 0x4(%esp) # null
movl $0x0, (%esp) # here too
movl $0xb, %eax # syscall no. 11
movl %esi, %ebx # pointer to string
leal 0x4(%esp), %ecx # first null (argv)
leal (%esp), %edx # second null (envp)
int $0x80 # go