mysh.s code

section.text

global_start

_start:

;Store the argument string on stack

xor eax, eax

push eax ;Use 0 to terminate the string

push "//sh" ;

push "/bin" mov ebx, esp ;Get the string address

;Construct the argument array argv[]

push eax

;argv[1] = 0

push ebx ;argv[0] points to the cmd string

mov ecx, esp ;Get the address of argv[]

;For environment variable

xor edx, edx ;No env variable

;Invoke execve()

xor eax, eax ;eax = 0x00000000

mov al, 0x0b ;eax = 0x0000000bint0x80

2.3 Task 1.c. Providing Arguments for System Calls

Inside mysh.s, in Lines and , we construct the argv[] array for the execve() system call. Since our command is /bin/sh, without any command-line arguments, our argv array only contains two elements: the first one is a pointer to the command string, and the second one is zero. In this task, we need to run the following command, i.e., we want to use execve to execute the following command, which uses /bin/sh to execute the "ls -la" command. /bin/sh -c "ls -la" In this new command, the argv array should have the following four elements, all of which need to be constructed on the stack. Please modify mysh.s and demonstrate your execution result. As usual, you cannot have zero in your shellcode (you are allowed to use redundant /).

argv[3] = 0

argv[2] = "ls -la"

argv[1] = "-c"

argv[0] = "/bin/sh"

-------------------------------------

2.4 Task 1.d. Providing Environment Variables for execve()

The third parameter for the execve() system call is a pointer to the environment variable array, and it allows us to pass environment variables to the program. In our sample program (Line ), we pass a null pointer to execve(), so no environment variable is passed to the program. In this task, we will pass some environment variables. If we change the command "/bin/sh" in our shellcode mysh.s to "/usr/bin/env", which is a command to print out the environment variables. You can find out that when we run our shellcode, there will be no output, because our process does not have any environment variable. In this task, we will write a shellcode called myenv.s. When this program is executed, it executes the "/usr/bin/env" command, which can print out the following environment variables:

$./myenv

aaa=1234

bbb=5678

cccc=1234

It should be noted that the value for the environment variable cccc must be exactly 4 bytes (no space is allowed to be added to the tail).We intentionally make the length of this environment variable string (name and value) not multiple of 4. To write such a shellcode, we need to construct an environment variable array on the stack, and store the address of this array to the edx register, before invoking execve() .The way to construct this array on the stack is exactly the same as the way how we construct the argv[] array. Basically, we first store the actual environment variable strings on the stack. Each string has a format of name = value , and it is terminated by a zero byte. We need to get the addresses of these strings. Then, we construct the environment variable array, also on the stack, and store the addresses of the strings in this array. The array should look like the following (the order of the elements 0, 1, and 2 does not matter):

env[3]=0//0markstheendofthearray

env[2]=addresstothe"cccc=1234"string

env[1]=addresstothe"bbb=5678"string

env[0]=addresstothe"aaa=1234"string