1

ive got trouble by writing a program in asm. This program should execute /bin/sh:

section .text
global start
start:
    mov rax, 59
    push 0x68732f2f6e69622f
    mov rdi, rsp
    mov rsi, 0
    mov rdx, 0
    syscall

(59 is the syscall identifier for execve() on x64)
(0x68732f2f6e69622f is /bin//sh in little-endian)

When I ran this, I got a segmentation fault. So I ran strace to check what was happening:

execve("./binsh", ["./binsh"], 0x7ffc3453e170 /* 42 vars */) = 0
execve("/bin", NULL, NULL)              = -1 EACCES (Permission denied)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xfffffffffffffff3} ---
+++ killed by SIGSEGV +++

So the /bin(4 bytes) was moved successfully in from the stack in the rdi register. But where is //sh? Can someone help?

BitFriends
  • 379
  • 5
  • 18
  • 2
    Which assembler are you programming for? It should have warned you that there is no `push` instruction with an 8 byte immediate and thus your immediate was truncated to fit. – fuz Dec 22 '19 at 20:20
  • Confirming what @fuz wrote. There is no push imm64, you need to use a register for this. Kind of confusing that it moved four bytes anyway, because in 64bit mode push/pop moves 8 bytes. – z0rberg's Jan 02 '20 at 16:23

0 Answers0