I am trying to write a shellcode in GNU asm for linux and i'm unable to call execve with arguments.
What i'm trying to do :
execve("/bin/ls", ["/bin/ls", "-la", NULL], NULL);
this is my code :
.section .text
.globl _start
_start:
push $0x3b
pop %rax
xorq %rdx,%rdx
push %rdx
movabs $0x61616161616c2d2d,%r8
shr $0x8, %r8
push %r8
movabs $0x736c2f6e69622f2f,%r8
shr $0x8, %r8
push %r8
mov %rsp, %rdi
push %rdx
push %rdi
mov %rsp, %rsi
syscall
push $0x3c
pop %rax
xorq %rdi, %rdi
syscall
And just before the syscall to execv this are my reg/stack : gdb
I suppose that : RDI must contain "/bin/ls" address RSI must contain the address of the "/bin/ls" address RDX = NULL
the shellcode is executing /bin/ls but not with -la args.
What is wrong ?
thx
You never pushed a pointer to the second argv string. push %rdx; push %rdi pushes NULL and then the pointer to "/bin/ls", but there is no pointer to your "-laaaaa". You need one more push in between the two. For instance:
push %rdx // NULL
lea 8(%rdi), %rcx // pointer to "-laaaaa"
push %rcx
push %rdi // pointer to "/bin/ls"
mov %rsp, %rsi // pointer to the argument vector