I have written this code as an exercise to practice with jmp-pop-call shellcoding tecnique:
global _start
section .text
_start:
jmp call_shellcode
shellcode:
pop rsi
;sys_write syscall
xor rax, rax
mov al, 1
xor rdi, rdi
mov dil, 1
xor edx, edx
mov dl, 18
syscall
jmp call_shellcode2
shellcode2:
pop rsi
;sys_red syscall
xor rax, rax
xor rdi, rdi
mov edx, 4
syscall
; exit syscall
xor rax, rax
mov al, 60 ;mov rax, 60
xor rdi, rdi ;mov rdi, 0
add dil, 0
syscall
call_shellcode:
call shellcode
welcome: db 'Insert password: ', 0xa
call_shellcode2:
call shellcode2
input: db 0xffffffff
The problem is the following:
$ ./simple_shellcode
Insert password:
abc
$ abc
bash: abc: command not found
It seems that when I hit enter, the value that I inserted (plus enter) is passed to the shell. I can't understand why this happened...
Can you try to explain me the problem?
Thanks.
EDIT
Here, the strace
output:
execve("./BindShell", ["./BindShell"], 0x7fff3b5e0d00 /* 49 vars */) = 0
write(1, "Insert password: \n", 18Insert password:
) = 18
read(0, 123
0x40104f, 4) = -1 EFAULT (Invalid address)
exit(0) = ?
+++ exited with 0 +++
As Peter Cordes said in the comments the read
function returns -1 EFAULT
and assembling it with --omagic
option it works fine.
Now my question is: is a clean solution use that option using jmp-pop-call technique?
User contributions licensed under CC BY-SA 3.0