flat assembler
Message board for the users of flat assembler.

Index > Linux > [solved] execve giving me ENOENT

Author
Thread Post new topic Reply to topic
moveax41h



Joined: 18 Feb 2018
Posts: 59
moveax41h 06 Dec 2019, 06:32
I'm trying to run EXECVE purposely using only stack memory:

Code:
format ELF64 executable 3

segment readable executable

entry $
mov rbp, rsp
sub rsp, 32
mov rax, 'this a t'
mov [rbp-24], rax
mov rax, 'est'
mov [rbp-32], rax
mov rax, '//bin/ec'
mov [rbp-8], rax
xor rax, rax
mov ax, 'ho'
mov [rbp-16], rax
push 0

    ;rdi filename
    ;rsi argv
    ;rdx envp
    lea rdi, [rbp-8]
    lea rsi, [rbp-8]
    mov rdx, 0
    mov rax, 0x3b
    syscall

exit_program:
xor     edi,edi         ; exit code 0
mov     eax,60          ; sys_exit
syscall
    


My return code in RAX is ENOENT but I'm not sure why... I try /bin/echo or //bin/echo on my terminal and it works successfully. Anyone see what I'm doing wrong here? It looks like my argv does have a null terminator, and all my strings have a null terminator too.

_________________
-moveax41h
Post 06 Dec 2019, 06:32
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8356
Location: Kraków, Poland
Tomasz Grysztar 06 Dec 2019, 11:04
It looks like you have items on the stack in the wrong order. [rbp-16] is before [rbp-8] in memory, but you put the beginning of the string in [rbp-8] and the end in [rbp-16].
Post 06 Dec 2019, 11:04
View user's profile Send private message Visit poster's website Reply with quote
moveax41h



Joined: 18 Feb 2018
Posts: 59
moveax41h 06 Dec 2019, 16:31
Ok, I've tried this and instead of ENOENT, I now get a EFAULT, so I think I'm getting warmer. See screenshot which clearly shows the stack layout and such. It looks like if the array is being read from low to high address, starting at the location of /bin/echo, this should work. There are NULLs after each "sentence"/arg and a NULL after the end of the array too, so still a bit confused. Please see attached image.

Thank you.


Description:
Filesize: 386.14 KB
Viewed: 6064 Time(s)

echo_push.jpg



_________________
-moveax41h
Post 06 Dec 2019, 16:31
View user's profile Send private message Reply with quote
moveax41h



Joined: 18 Feb 2018
Posts: 59
moveax41h 08 Dec 2019, 05:11
Here's my final working solution to this:

Code:
format ELF64 executable 3

segment readable executable

entry $
mov rbp, rsp
sub rsp, 32
mov rax, 'this a t'
mov [rbp-16], rax
mov rax, 'est'
mov [rbp-8], rax
mov rax, '/bin/ech'
mov [rbp-32], rax
xor rax, rax
mov al, 'o'
mov [rbp-24], rax
push 0
mov rax, 0
mov [rbp], rax

;rdi filename
;rsi argv
;rdx envp
lea rdi, [rbp-32]
xor rdx, rdx
lea r9, [rbp-16]
push r9
lea r9, [rbp-8]
push r9
mov rsi, rsp
mov rax, 0x3b
syscall

exit_program:
xor     edi,edi         ; exit code 0
mov     eax,60          ; sys_exit
syscall
    
Post 08 Dec 2019, 05:11
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.