0

In the following code after calling 'access' system call, 0xfffffffe is present in EAX. While in case of success, 'access' system call returns 0. Here I am trying to access the memory which is part of the data section. Then why 'access' is returning 0xfffffffe ?

global _start
section .text
_start:

mov eax, 0x21 ; Access system call
mov ebx, message
mov ecx, 0 ; F_OK
int 0x80

section .data
message:dd 0,0,0,0,0,0,0

I am following the below-mentioned paper.

http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
I am copy pasting the following lines from page number 7 and 8 of the paper.
'access' system call is preferred because "the pathname pointer is the argument that will be used to do the address validation. Since pathname is the first argument, it means that the ebx register will need to point to the address that needs to be validated."

And if we see in the following code author has used 'access' system call to validate EBX register. Following code is present on page number 8 of the paper.

mov ebx,0x50905090
xor ecx,ecx
mul ecx
or dx,0xfff
inc edx
pusha
lea ebx,[edx+0x4]
mov al,0x21
int 0x80
cmp al,0xf2
popa
jz 0x9
cmp [edx],ebx
jnz 0xe
cmp [edx+0x4],ebx
jnz 0xe
jmp edx

Michael Petch
  • 46,082
  • 8
  • 107
  • 198
user1927603
  • 541
  • 3
  • 15
  • 1
    it is returning -ENOENT (Error: No such file or directory) which is -2 = 0xfffffffe . So it properly accessed memory found the file name is a blank/zero length (since the memory contains a 0 as the first byte) was unable to find the zero length file name in the directory and reported that error as -ENOENT – Michael Petch Nov 07 '18 at 23:04
  • In your edited code a comparison is done on AL for 0xF2. 0xF2 = -14 = -EFAULT (Bad Address). You can find a list of errors [here](http://www-numi.fnal.gov/offline_software/srt_public_context/WebDocs/Errors/unix_system_errors.html) – Michael Petch Nov 07 '18 at 23:08
  • `message` is in your `.data` section of your running program so it will be accessible (it isn't a bad address) and what is at that address contains a string containing no bytes. Change EBX to 0 and see what happens. Memory address 0 shouldn't be readable so you should get EAX being 0xfffffffe – Michael Petch Nov 07 '18 at 23:16
  • 1
    Thank you so much!! I got your point. – user1927603 Nov 07 '18 at 23:41
  • `access` checks files, not addresses within your process. See [Finding mapped memory from inside a process](https://stackoverflow.com/q/53022573) for what you're actually trying to do. – Peter Cordes Nov 08 '18 at 08:27

0 Answers0