0
format ELF64

public _start


section '.data' writable
command db "/usr/bin/nc", 0x0
argument1 db "-l", 0x0
argument2 db "127.0.0.1", 0x0
argument3 db "12345", 0x0
last_arg dq 0x0
argv dq command, argument1, argument2, argument3, 0x0


section '.text' executable
_start:
    mov rax, 11
    mov rbx, command
    mov rcx, argv
    mov rdx, 0
    int 0x80

This is my simple assembler program, that should just use exec to load memory-image of nc, but something goes wrong

execve("/usr/bin/nc", ["/usr/bin/nc"], NULL)

This is output from strace. It just pass only name of program and forgot about other args. How i should fix my program?

Nate Eldredge
  • 48,811
  • 6
  • 54
  • 82
butleger
  • 13
  • 4
  • 1
    `int 0x80` is the 32-bit system call interface. For a 64-bit program you should use `syscall`. See https://stackoverflow.com/questions/2535989/what-are-the-calling-conventions-for-unix-linux-system-calls-and-user-space-f/2538212#2538212 and https://stackoverflow.com/questions/46087730/what-happens-if-you-use-the-32-bit-int-0x80-linux-abi-in-64-bit-code – Nate Eldredge May 15 '21 at 21:24
  • 1
    Because you use a 32-bit system call, the kernel expects 32 bit pointers and things quickly go wrong. Do not use 32 bit system calls in a 64 bit program. I do not understand why so many beginners make this mistake. – fuz May 15 '21 at 23:49
  • `dq command` is like `dd command, 0` the way the `int 0x80` version of the system call interprets it. If you're trying to port 32-bit examples to 64-bit, port *everything*, don't go half way. Or for simple stuff like this, it's probably easier to just look for a 64-bit example in the first place. At least `strace` decodes it correctly these days, instead of decoding it as the 64-bit syscall that uses that number. – Peter Cordes May 16 '21 at 01:28

0 Answers0