c++ - Re-writing a small execve shellcode -


going through http://hackoftheday.securitytube.net/2013/04/demystifying-execve-shellcode-stack.html

i understood nasm program invokes execve , trying re-write it.

some background information:

int execve(const char *filename, char *const argv[], char *const envp[]);

so, eax = 11 (function call number execve), ebx should point char* filename, ecx should point argv[] (which same ebx since first argument *filename e.g. "/bin/sh" in case), , edx point envp[] (null in case).

original nasm code:

global _start  section .text _start:  xor eax, eax push eax  ; push //bin/sh in reverse i.e. hs/nib//  push 0x68732f6e push 0x69622f2f  mov ebx, esp  push eax mov edx, esp  push ebx mov ecx, esp  mov al, 11 int 0x80

the stack follows:

enter image description here

now tried optimize reducing few instructions. agree till mov ebx, esp code remain same. however, since ecx need point ebx, can re-write code follows:

global _start  section .text _start:  xor eax, eax push eax  ; push //bin/sh in reverse i.e. hs/nib//  push 0x68732f6e push 0x69622f2f mov ebx, esp  mov ecx,ebx  push eax mov edx, esp  mov al, 11 int 0x80

however, segmentation fault when run re-written code.

my stack follows: enter image description here

any ideas why re-written code not work? i've ran gdb , address values according thinking, won't run.

in both cases ebx pointing string "//bin/sh". equivalent of c code this:

char *ebx = "//bin/sh";

but in first example, ecx set address of pointer string. equivalent of c code this:

char *temp = "//bin/sh"; // push ebx char **ecx = &temp;      // mov ecx, esp

while in second example, ecx set same value ebx.

char *ecx = "//bin/sh";

the 2 examples fundamentally different, ecx have 2 different types , values.

update:

i should add technically ecx array of char pointers (the argv argument), not pointer char pointer. you're building 2 item array on stack.

char *argv[2]; argv[1] = null;         // push eax, eax being 0 argv[0] = "//bin/sh";   // push ebx ecx = argv;             // mov ecx,esp

it's half of array doubling envp argument too. since envp single item array single item being set null, can think of envp arguments being set c code this:

edx = envp = &argv[1];

this achieved setting edx esp while argv array half constructed. combining code 2 assignments this:

char *argv[2]; argv[1] = null;         // push eax, eax being 0 edx = &argv[1];         // mov edx,esp argv[0] = "//bin/sh";   // push ebx ecx = argv;             // mov ecx,esp

it's bit convoluted, hope makes sense you.

update 2

all of arguments execve passed registers, registers pointers memory needs allocated somewhere - in case, on stack. since stack builds downwards in memory, chunks of memory need constructed in reverse order.

the memory 3 arguments looks this:

char *filename:  2f 2f 62 69 | 6e 2f 73 68 | 00 00 00 00  char *argv[]:    filename    | 00 00 00 00                char *envp[]:    00 00 00 00

the filename constructed this:

push eax        // '\0' terminator plus push 0x68732f6e // 'h','s','/','n' push 0x69622f2f // 'i','b','/','/'

the argv argument this:

push eax // null pointer push ebx // filename

and envp argument this:

push eax // null pointer

but said, original example decided share memory between argv , evp, there no need last push eax.

i should note reverse order of characters in 2 dwords used when constructing string because of endianess of machine, not stack direction.


Comments

Post a Comment

Popular posts from this blog

SPSS keyboard combination alters encoding -

my question not have programming practical issue on spss. accident keyword combination cannot remember because did not intend press changed encoding in spss , text in data in different language english shown small boxes. nevertheless, when kind of analysis performed different language text shown in output. does know reason? tried change encoding did not produce result. first, @ edit > options , see whether setting unicode or locale. might fix it. if have text in multiple languages, want unicode. otherwise, may have specific locale set wrong. can change set locale, need know locale want use.
Read more

Add new record to the table by click on the button in Microsoft Access -

in ms access form want implement separate button, adds new record table. in order added button , attached button event: private sub btnaddrec_click() refresh codecontextobject on error resume next docmd.gotorecord , , acnewrec if err.number <> 0 btnaddrec.enabled = false end if end end sub everything ok when open window , click btnaddrec button, problem when first of perform navigation through existed records , after click on button. got runtime error: 2105: «you can't go specified record. may @ end of recordset» . how solve issue, need have ability add new record on click on specific button, no matter, have walked or not walked through records before. thanks. i created simple form field call description (and autonumber) , created button code follows click event. filled number of records , navigated through them, clicked addnewrec button. form navigated new record without issues. able click addnewrec button directly after
Read more

javascript - jQuery .height() return 0 when visible but non-0 when hidden -

i have problem here right opposite others: in jquery cannot height of element when it's visible, when hidden. have html code: <div id="filtering-filter-holder"> <div id="filtering-filter-holder-inner"></div> </div> basic css it: #filtering-filter-holder { display: none; position: absolute; width: 420px; min-height: 100px; padding: 5px 5px 5px 5px; background-color: #ffffff; border: 1px solid #164372; } and finally, js in document.ready(): $('div.filtering-filter-headline').mouseenter(function() { var el = $(this).parent().find('div.filtering-filter-content'); if ($('div#filtering-filter-holder').is(':visible')) { $('div#filtering-filter-holder-inner').stop(true, true).fadeout(300, function() { $('div#filtering-filter-holder-inner').html($(el).html()); var height = $('div#filtering-filter-holder-inner&#
Read more