stackoom
  简体   繁体   中英

Assembly execve failure -14

 原文  2015-05-07 17:06:53       linux/ assembly/ nasm/ elf/ system-calls

Question

Program writes executable placed in it's second segment on disk, decrypts it(into /tmp/decbd), and executes(as it was planned) file decbd appears on disk, and can be executed via shell, last execve call return eax=-14, and after end of the program, execution flows on data and gets segfault. http://pastebin.com/KywXTB0X

In second segment after compilation using hexdump and dd I manually placed echo binary encrypted via openssl, and when I stopped execution right before last int 0x80 command, I've already been able to run my "echo" in decbd, using another terminal.

2 answers

solution1
 1  2015-05-07 18:09:32

man execve says this in the "ERRORS" section with regard to return code -14 ( -EFAULT ): 

        EFAULT filename points outside your accessible address space.

You passed a bad pointer to execve() .

solution2
 1 ACCPTED  2015-05-07 22:15:49

  1. You should have narrowed it down to a minimal example. See MCVE .
  2. You should comment your code if you want other people to help.
  3. You should learn to use the debugger and/or other tools.

For point #1, you could have gone down to: 

section .text
    global _start   ;must be declared for linker (ld)
_start:
    mov eax,11             ; execve syscall
    mov ebx,program        ; name of program
    mov ecx,[esp+4]        ; pointer to argument array
    mov ebp,[esp]          ; number of arguments
    lea edx,[esp+4*ebp+2]  ; pointer to environ array
    int 0x80
section .data
    program db '/bin/echo',0

For point #3, using the debugger you could have seen that:

  • ebx is okay
  • ebp is okay
  • ecx is wrong
  • edx is wrong

It's an easy fix. ecx should be loaded with the address, not the value and edx should be skipping 2 pointers which are 4 bytes each, so the offset should be 8 not 2 . The fixed code could look like this: 

section .text
    global _start   ;must be declared for linker (ld)
_start:
    mov eax,11             ; execve syscall
    mov ebx,program        ; name of program
    lea ecx,[esp+4]        ; pointer to argument array
    mov ebp,[esp]          ; number of arguments
    lea edx,[esp+4*ebp+8]  ; pointer to environ array (skip argc and NULL)
    int 0x80
section .data
    program db '/bin/echo',0

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Execve inline assembly nasm assembly sys_execve /bin/sh Linux Sys_execve wont run in assembly What is proper way to call execve with arguments in assembly? sys_execve system call from Assembly x86_64 assembly execve *char[] syscall How do you return the output from an execve syscall to either a register or the stack after executing it in assembly? execve “Bad address” error execve not taking environment parameters linux_binprm in execve()
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM