Hi all,

I got a small problem (although it's stopped me dead in my tracks all last night)

I'm trying to convert the Linux execve type command to asm so for a basic /bin/sh
i use the following:

BITS 32
xor eax,eax
cdq
push eax
push long 0x68732f3f
push long 0x6e69622f
mov ebx,esp
push eax
push ebx
mov ecx,esp
mov al, 0x0b
int 0x80

however if I wanted to run /bin/sh -c date (which isn't my end goal, but I want to see how i can load the stack with items in the array other than null.) I get seg faults all over the place - there's the code I'm trying to use:

this seg faults (exceve /bin/sh -c date)

xor eax,eax //eax=0
cdq
push eax //push eax as string terminater
push 0x65746164 //push 'date'
push word 0x632d //push '-c'
push long 0x68732f2f //push '//sh'
push long 0x6e69622f //push '/bin'
mov ebx,esp //store pointer in ebx
// now the pointer is done build the array...
push eax //to serve as array terminator
mov ecx,esp // load pointer to the array into ecx

mov al, 0x0b //execve call number into al
int 0x80 //hand back to processer

Can anyone see what I'm doing wrong - am I even close the getting it right?

Thanks

xet
Posted on 2006-08-22 01:54:53 by xet
You are not setting the system call parameters correctly.
ecx should point to a null terminated array of pointers to a null terminated string arguments.
While in your case ecx points to a null pointer and the program name pointed by ebx is not null terminated (in fact none of the arguments is null terminated).

Hope that helps.
Posted on 2006-08-22 05:25:50 by arafel
Are you trying to write shellcode, hmm?
Posted on 2006-08-22 07:48:30 by f0dder