问题描述
限时送ChatGPT账号..我的代码:
.section .data
name: .string "/bin/sh"
args:
.string "-c"
.string "ls"
.section .text
.globl _start
_start:
pushq $0
pushq name
movq $59, %rax
movq %rsp, %rdi
pushq $0
pushq args
movq %rsp, %rsi
movq $0, %rdx
syscall
我知道 execve 的第二个参数是字符数组.
I know that the second argument of execve is array of chars.
如何在组装中避免这种情况:
How to do this in assembly avoiding this:
execve("./payload", ["./payload"], 0x7ffc291fd160 /* 40 vars */) = 0
execve("/bin/sh", [0x736c00632d], NULL) = -1 EFAULT (Bad address)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xfffffffffffffff2} ---
+++ killed by SIGSEGV +++
Segmentation fault
推荐答案
execve 系统调用有签名
execve(const char *path, char *const argv[], char *const envp[]);
参数向量是一个字符串数组,即指向字符数组的指针数组的指针.但是,您提供了一个指向字符数组的指针,这是不正确的并且不起作用.要解决此问题,请添加一组指向您的参数的指针:
The argument vector is an array of strings, that is, a pointer to an array of pointers to arrays of characters. You however supplied a pointer to an array of characters, which is incorrect and will not work. To fix this, add an array of pointers referring to your arguments:
.section .data
name: .string "/bin/sh"
arg1: .string "-c"
arg2: .string "ls"
args: .quad name
.quad arg1
.quad arg2
.quad 0
.section .text
.globl _start
_start: movq $59, %rax
leaq name(%rip), %rdi
leaq args(%rip), %rsi
movq $0, %rdx
syscall
看看现在 args 是如何以 NULL 结尾的指向参数的指针数组.另请注意,第一个参数(在索引 0 处)通常是程序名称本身.在那里传递实际选项不会按预期工作.
See how now args is a NULL-terminated array of pointers to the arguments. Also note that the first argument (at index 0) is conventionally the program name itself. It won't work as expected to pass an actual option there.
我还通过使用 lea 指令而不是您使用的迂回方式直接加载字符串的地址来简化代码.
I have also simplified the code by loading the addresses of the strings directly using a lea instruction instead of the roundabout way you used.
这篇关于GAS AT&T 汇编程序中的 execve() argv的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
更多推荐
[db:关键词]
发布评论