GithubHelp home page GithubHelp logo

Comments (2)

david942j avatar david942j commented on July 21, 2024

do_system() also has a similar call.

   54fdb:       48 8d 05 c5 25 16 00    lea    rax,[rip+0x1625c5]        # -c
   54fe2:       48 8d 0d c6 25 16 00    lea    rcx,[rip+0x1625c6]        # sh
   54fe9:       31 d2                   xor    edx,edx
   54feb:       66 48 0f 6e c8          movq   xmm1,rax
   54ff0:       66 48 0f 6e c1          movq   xmm0,rcx
   54ff5:       48 8d 7c 24 0c          lea    rdi,[rsp+0xc]
   54ffa:       48 8b 05 af 5e 19 00    mov    rax,QWORD PTR [rip+0x195eaf]        # environ_ptr
   55001:       66 0f 6c c1             punpcklqdq xmm0,xmm1
   55005:       4c 8d 44 24 50          lea    r8,[rsp+0x50]
   5500a:       48 89 e9                mov    rcx,rbp
   5500d:       48 89 5c 24 60          mov    QWORD PTR [rsp+0x60],rbx
   55012:       4c 8b 08                mov    r9,QWORD PTR [rax]
   55015:       48 8d 35 8e 25 16 00    lea    rsi,[rip+0x16258e]        # /bin/sh
   5501c:       0f 29 44 24 50          movaps XMMWORD PTR [rsp+0x50],xmm0
   55021:       48 c7 44 24 68 00 00 00 00      mov    QWORD PTR [rsp+0x68],0x0
   5502a:       e8 b1 a7 0b 00          call   10f7e0 <posix_spawn@@GLIBC_2.15>

Jump to 0x54fe2 leads to:
posix_spawn(rsp+0xc, "/bin/sh", 0, rbp, rsp+0x50, environ), and the array at rsp+0x50 is { "sh", rax, rbx, 0 }

The constraints are

  • rbp == NULL or (u16)[rbp] == 0 (posix_spawnattr_t.__flags == 0)
  • rax == NULL

The original source is

status = __posix_spawn (&pid, SHELL_PATH, 0, &spawn_attr,
                        (char *const[]){ (char*) SHELL_NAME,
                        (char*) "-c",
                        (char *) line, NULL },
                        __environ);

from one_gadget.

david942j avatar david942j commented on July 21, 2024 
posix_spawn (pid_t *pid, const char *path, const posix_spawn_file_actions_t *file_actions, const posix_spawnattr_t *attrp, char *const argv[], char *const envp[])

Constraints are

  • pid == NULL || *pid is writable
  • attrp == NULL || attrp->flags == 0
  • file_actions == NULL || (int) (file_actions->__used) <= 0

Meet all constraints then posix_spawn eventually calls execve(path, argv, envp)

from one_gadget.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.