2

I'm using fnstenv FPU instruction to get the EIP in a 64 bit shellcode. Running it in GDB everything looks fine:

 0x0000000000400080  ? fldz   
 0x0000000000400082  ? fnstenv [rsp-0xc]

After running these instructions by stepping in with si I get in the stack the right value (0x0000000000400082).

What I miss is this: if I place a breakpoint after the fnstenv and then with continue I execute without a breakpoint between them, I get a wrong value: 0x0000003300400082. The 0x00000033 is the value of CS register...not sure if this is a coincidence or not.

I'm using nasm and ld with the following syntax:

nasm -f elf64 shell.asm -o shell.o
ld shell.o -o sh --omagic
Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
cips
  • 95
  • 1
  • 8
  • Can you include the complete source code? – Nate Eldredge Jul 23 '20 at 23:53
  • 1
    `fnstenv` is not 64 bit aware, so you only get the low 32 bits of RIP which is EIP as you said, but printed it wrong. The following word indeed contains the `CS` selector. That said, `gdb` indeed behaves strangely when using `si`, I don't even get a valid dump. The correct behavior is the second one. PS: what's wrong with something along the lines of `lea rax, [rip]`? – Jester Jul 23 '20 at 23:53
  • Also note that you need 28 bytes of memory so the `rsp-0xc` is very suspicious even if it's not relevant to the current issue. – Jester Jul 23 '20 at 23:58
  • This is the complete source code. I cannot use a lea because I have some restrictions in opcodes, so that's why I'm using this...but if it's not supposed to work for 64 bits, I guess I need to find another way. – cips Jul 24 '20 at 00:04
  • 1
    There is `fxsave64` but that doesn't work for me at all. Surely you can do `syscall` though? That sets `rcx` to `rip`. – Jester Jul 24 '20 at 00:17
  • Good point...I need to try these out....Thanks! – cips Jul 24 '20 at 00:31

0 Answers0