1

I am trying to call '/bin/bash' using the syscall and execve system call. At first I was worried I was not correctly loading my command ('/bin/bash') into the register.. but I think I am doing that right. I have to follow specific requirements with the register useage

 .section .text
.global _start
_start:

      # Push an 8-byte 0 to the stack
      push $0x0000000000000000

      # Use the stack pointer to set the 2nd parameter
      movl %esp, %ecx

      # Use the same address to set the 3rd parameter
      movl %esp, %edx

      # Write the 8-byte hex value for "/bin/sh" to %rax register
      movq $0x0068732f6e69622f, %rax

      # Push the %rax register to the stack
      push %rax

      # Use the stack pointer to set the 1st parameter
      movl %esp, %ebx

      # Write the syscall number to the register
      movl $59, %eax

      # Execute the syscall
      syscall

Currently this code segmentation faults, which I think because I am not returning anything from _start. I know if I called the syscall command %60, which is just system exit.. I would not segmentation fault.

Does anyone have any idea what I am doing wrong?

Jester
  • 56,577
  • 4
  • 81
  • 125
jdoej
  • 723
  • 1
  • 6
  • 10
  • 1
    It looks like you are using 64 bit system so quickly forget about `esp` because that will likely not work as the stack is not typically in the low 32 bit address space. For the rest, use `strace` and/or `gdb`. – Jester Apr 16 '19 at 18:20
  • @Jester what would you use instead of 'esp' then? – J DOe Apr 16 '19 at 18:21
  • 1
    `rsp` obviously. – Jester Apr 16 '19 at 18:21
  • @Jester for performing a move then, you would have to use something other than " mov %rsp, %ecx" right? – J DOe Apr 16 '19 at 18:25
  • 3
    Yes, use `rcx` on the other side. Operand sizes should match. Also note that 64 bit system call convention is different from 32 bit. You most certainly don't want to load `rcx` since that is destroyed by `syscall` so can't be used for passing arguments. – Jester Apr 16 '19 at 18:26
  • If this is meant as shellcode or something similar, you might as well say so, instead of vague statements like "specific requirements of register usage". – Nate Eldredge Apr 16 '19 at 23:33
  • This looks like an attempt to port code for the `int 0x80` ABI (args in ebx, ecx, edx) to 64-bit `syscall` without changing the registers to RDI, RSI, RDX, R10, etc. – Peter Cordes Apr 17 '19 at 01:59

0 Answers0