Using linkat() in assembly

Asked Sep 16 '20 at 17:24

Active Sep 16 '20 at 17:48

Viewed 26 times

I'm trying to write a basic exploit in shell code using the linkat() function but I'm new to assembly so I think I'm missing something simple.

.globl _start
_start:
.intel_syntax noprefix
        mov rax, 2
        lea rdi, [rip+source]
        mov rsi, 0
        syscall

        mov rax, 265
        mov rdi, 3
        lea rsi, [rip+path]
        mov rdx, 4
        lea rcx, [rip+target]
        mov r8, 0
        syscall
path:
        .string "."
source:
        .string "/flag"
target:
        .string "/foo"

But when I debug the code using strace the fourth argument (the destination name) is getting passed as an address e.g. 0x1 vs a string.
Output

open("/flag", O_RDONLY)                 = 4
linkat(3, ".", 4, 0x1, 0)               = -1 EFAULT (Bad address)

How can I fix this so the fourth argument shows as /foo ?

edited Sep 16 '20 at 17:48

Jester

56,577
4
81
125

asked Sep 16 '20 at 17:24

mdo123

1,757
3
16
34

1

syscall convention does not use `rcx` for an argument as that is destroyed by the `syscall` instruction. Use `r10` instead. – Jester Sep 16 '20 at 17:48
1

thanks that worked! I found a relevant thread based on your feedback https://stackoverflow.com/questions/32253144/why-is-rcx-not-used-for-passing-parameters-to-system-calls-being-replaced-with – mdo123 Sep 16 '20 at 17:52

Using linkat() in assembly

0 Answers0