我正在尝试编写一个运行 execve 的 shellcode。等效的 c 程序如下所示:
int main ()
{
char *argv[3] = {"/bin/sh","-i", "/dev/tty", NULL};
execve("/bin/sh", argv, NULL);
return 0;
}
c程序运行良好。然后我尝试像这样编写我的测试程序(修改为 push null):
#include<stdio.h>
int main(){
__asm__(
"xor %rdx,%rdx\n\t" //rdx is the third argument for execve, null in this case.
"push %rdx\n\t"
"mov -8(%rbp),%rdx\n\t"
"mov $0x692d,%rdi\n\t" //$0x6924 is 'i-'
"push %rdi\n\t" //push '-i' to the stack
"lea -16(%rbp),%rax\n\t" //now rax points to '-i'
"mov $0x31b7f54a83,%rdi\n\t" //the address of /bin/sh
"push %rdi\n\t" //push it to the stack
"push %rdx\n\t" //end the array with null
"mov $0x31b7e43bb3,%rdi\n\t" //the address of "/bin/sh"
"push %rdi\n\t" //push the address of "/dev/tty to the stack
"push %rax\n\t" //push the address of '-i' to the stack
"mov $0x31b7f54a83,%rdi\n\t"
"push %rdi\n\t" //push the address of /bin/sh again to the stack
"mov %rsp,%rsi\n\t" //rsi now points to the beginning of the array
"mov -24(%rbp),%rdi\n\t" //rdi now points to the addresss of "/bin/sh"
"mov $0x3b,%rax\n\t" // syscall number = 59
"syscall\n\t"
);
}
我在这里有内存中字符串的地址,我们可以假设它们不会改变。但是我们没有字符串'-i'的地址。所以我在这里做的是将参数推入堆栈,如下所示:
Low ------------------------------------------------------------------ High
|addressof"/bin/sh"(rsi points to here)|addressof"-i"|addressof"/dev/ssh"|addressof"/bin/sh"(rdi points to here)|-i|
它没有用。程序编译正常,但是当我运行程序时,什么也没发生。
我不熟悉汇编,我对参数的传递方式有些担心,例如,编译器如何知道 argv 参数何时在内存中结束?
编辑
感谢 Niklas B 下面的建议,我使用 trace 查看 execve 是否实际运行。我得到了execve(0x31b7f54a83, [0x31b7f54a83, "-i", 0x31b7e43bb3, 0x31b7f54a83, 0x692d], [/* 0 vars */]) = -1 EFAULT (Bad address),这意味着第二个参数传递错误。我推入堆栈的所有内容都被视为 argv 参数的一部分!
在我将空值压入堆栈后, strace 给出execve(0x31b7f54a83, [0x31b7f54a83, "-i", 0x31b7e43bb3], [/* 0 vars */]) = -1 EFAULT (Bad address). 仅当地址是字符串时,这才非常接近正确答案...
多亏了布赖恩,我现在看到了问题所在。硬编码地址在另一个程序的共享库中。因此,该程序在实际输入该程序之前不应运行。谢谢大家,我会尽快更新。如果问题已解决,我会将其标记为已解决。