execve x86 - Segmentation Fault

0

I keep getting segmentation faults on this could anybody help me on this one, I am kind of new to ASM

global _start

section .text
_start:

push   dword 0x0068732F ; Push /sh
push   dword 0x6E69622F ; Push /bin
mov    eax, esp         ; Store Pointer To /bin/sh In EAX

push   dword 0x0000632D ; Push -c
mov    ebx, esp         ; Store Pointer To -c In EBX

push   dword 0x00000068 ; Push h
push   dword 0x7361622F ; Push /bas
push   dword 0x6E69622F ; Push /bin
mov    ecx, esp         ; Store Pointer To /bin/bash In ECX

push   dword 0x0        ; NULL 
push   ecx              ; Push /bin/bash Pointer
push   ebx              ; Push -c Pointer
push   eax              ; Push /bin/sh Pointer

mov    ebx, eax         ; Move /bin/sh Pointer To EAX
mov    ecx, esp         ; Store /bin/sh -c /bin/bash Pointer in ECX
xor    edx, edx         ; Store 0 In EDX

mov    al, 0xb          ; sys_execve
int    0x80             ; system call

I am trying to replicate the following

char* Args[] = { "/bin/sh", "-c", "/bin/bash" };
    execve("/bin/sh", Args, NULL)

Thanks in advance

c
assembly
x86
shellcode
execve
asked on Stack Overflow Nov 3, 2016 by 0xDeMoN • edited Nov 3, 2016 by 0xDeMoN

1 Answer

2

As pointed out in the comments the arguments need to be NULL terminated.

Also mov al, 0xb only sets the lower 8 bits of the (32 bit) eax register. Earlier on you also loaded an address from the stack into eax mov eax, esp and since the stack grows down, the value stored in eax will be much closer to 0xFFFFFFFF that it is to 0. When you later mov al, 0xb you only substitute the last F and eax needs to be exactly 0xb.

Thus you need to either move the value to whole eax register or make sure its upper 24 bits are zeroed beforehand - for example by doing xor eax, eax.

global _start

section .text
_start:

push   dword 0x0068732F ; Push /sh
push   dword 0x6E69622F ; Push /bin
mov    eax, esp         ; Store Pointer To /bin/sh In EAX

push   dword 0x0000632D ; Push -c
mov    ebx, esp         ; Store Pointer To -c In EBX

push   dword 0x00000068 ; Push h
push   dword 0x7361622F ; Push /bas
push   dword 0x6E69622F ; Push /bin
mov    ecx, esp         ; Store Pointer To /bin/bash In ECX

push   0                ; <----- NULL args terminator
push   ecx              ; Push /bin/bash Pointer
push   ebx              ; Push -c Pointer
push   eax              ; Push /bin/sh Pointer

mov    ebx, eax         ; Move /bin/sh Pointer To EAX
mov    ecx, esp         ; Store /bin/sh -c /bin/bash Pointer in ECX
xor    edx, edx         ; Store 0 In EDX
;xor    eax, eax        ; <----- either xor eax, eax or mov into eax
mov    eax, 11          ; sys_execve
int    0x80             ; system call
answered on Stack Overflow Nov 3, 2016 by mewa • edited Nov 3, 2016 by mewa

User contributions licensed under CC BY-SA 3.0