0

Trying to issue an execve() syscall in Linux to touch a file called "Everything is OK"

Here's the stack:

0xffffd33c: 0x6e69622f  0x756f742f  0x45006863  0x79726576

0xffffd34c: 0x6e696874  0x73692067  0x004b4f20  0x00000000

0xffffd35c: 0xf7ff000a  0x00000001  0x080483a0  0x00000000

0xffffd36c: 0x080483c1  0x08048454  0x00000001  0xffffd394

That should be little-endian ordered "/bin/touch\0Everything is OK\0" followed by a NULL byte, which it appears to be.

Here are the registers:

eax            0xfffffff2       -14
ecx            0xffffd33c       -11460
edx            0x0  0
ebx            0xffffd33c       -11460
esp            0xffffd33c       0xffffd33c

EAX was 11 (for execve() linux syscall) before the int 0x80 caused an error which changed the value of EAX to -14

I can't figure out why my pointers (stored in ebx, ecx) are causing a format error with execve()'s arguments. They point to the same data, but it's a null-terminated string followed by a second null terminated string followed by a NULL pointer, so it should be treated as only the first string by ebx an as a NULL pointer terminated array by ECX.

Thanks.

qJake
  • 16,821
  • 17
  • 83
  • 135
gal
  • 486
  • 5
  • 17

1 Answers1

2

Your value for ecx is wrong. what your code seems to do is the equivalent of

char *arg[] = {"/bin/touch", "Everything is OK", 0};
execve(arg[0], arg[0], 0);

But it should be:

execve(arg[0], arg, 0);

See the difference? ecx should contain the address to a list of pointers to the arguments, not a pointer to the first argument.

mata
  • 67,110
  • 10
  • 163
  • 162