Reputation: 738
Assembly injection via python
I am trying to use python to write out some assembly code to redirect the flow of a binary. This is for school. I am coming along pretty well, but I am stuck, alas. I have determined a list of assembly code ops that I need to execute, and the trouble is in a movl call. I need this to look like movl $0x0, add(%ebp). I am using python to store these hex values in an env variable and planning to jump to that env variables location.
So, I do something like
export CODE=`python -c 'print "somehex...\xc7\x45\xfc\x00\x00\x00\x00...morehex"'`
This stores this in the env just fine, and when I jump to it in gdb, I can x/i the assembly code. Everything looks good except for this movl call. Rather than reading the \x00's as the argument (supposed to be $0x0), it takes the next 4 hex values as the argument for the source. I cannot find any other way of writing $0x0 into the src argument of movl in the python fashion I have chosen.
Any help would be GREATLY appreciated. Been working on this for quite some time.
Upvotes: 2
Views: 1429
Answers (2)
Reputation: 287825
Environment variables are C strings, and those cannot hold \0 bytes. Instead, you must write the shellcode in a way so that it does not contain any \0 bytes. You must construct 0 values with other instructions such as sub, xor, or by moving an existing 0 value to the desired register/memory location.
By the way, instead of Python, you can simply use the shorter and more portable /bin/echo -e 'somehex\x00\x00more'.
Upvotes: 4
Reputation: 23265
Looks like something is stripping the null bytes. The python works fine:
$ python -c 'print "somehex...\xc7\x45\xfc\x00\x00\x00\x00...morehex"' | hexdump
0000000 73 6f 6d 65 68 65 78 2e 2e 2e c7 45 fc 00 00 00
0000010 00 2e 2e 2e 6d 6f 72 65 68 65 78 0a
000001c
But write it to an environment variable and read it back, and the nulls get stripped:
$ export CODE=`python -c 'print "somehex...\xc7\x45\xfc\x00\x00\x00\x00...morehex"'`
$ printenv CODE | hexdump
0000000 73 6f 6d 65 68 65 78 2e 2e 2e c7 45 fc 2e 2e 2e
0000010 6d 6f 72 65 68 65 78 0a
0000018
Upvotes: 1
Related Questions
- Executing assembler code with python
- how to call assembler code with Python on Windows
- transfer between assembly and python
- Python program into a standard assembly?
- How to get Python to use Assembly
- Execute python script from Assembly
- Getting Assembly code for Python programs
- Converting Python Programs into Assembly IEEE 694
- How to execute machine language from memory?
- How to call python2.5 function from x86asm/x64asm?