I need to build a shellcode without the 0x0f byte, the problem is that syscall and sysenter instructions have 0x0f in their code machine. Are there any instruction that I can use to call execve?
Asked
Active
Viewed 1,672 times
0
Peter Cordes
- 328,167
- 45
- 605
- 847
Mocanu Gabriel
- 490
- 5
- 19
-
1AFAIK your only alternative is `int 0x80`, and [that doesn't work with pointer arguments except in very special cases](https://stackoverflow.com/questions/46087730/what-happens-if-you-use-the-32-bit-int-0x80-linux-abi-in-64-bit-code). On the other hand, if you're able to load and execute shellcode, the memory where it's located is probably writable and executable, so self-modifying code is an option. – Nate Eldredge Dec 01 '21 at 20:40
-
1Or, of course, you can try to call the `execve` function that's already in `libc`, or jump to a syscall instruction in the library or at some other known address in executable memory. Since it's `execve` you don't care about getting control back afterwards. – Nate Eldredge Dec 01 '21 at 20:44
-
See also https://stackoverflow.com/questions/68715350 – Kai Burghardt Dec 01 '21 at 21:24
1 Answers
2
After some work here, I find one solution. The idea behind was to construct a shellcode that has the capability to change himself, modify some bytes of machine code before they execute.
So what I did was to load rip into a register and put some bytes after. Then I change those bytes to \x0f\x05 and in this way, I finally executed my shellcode. I could have use a RIP-relative store instead of a RIP-relative LEA, after getting the desired bytes into a register (with mov + xor or shift, or various other ways.)
Peter Cordes
- 328,167
- 45
- 605
- 847
Mocanu Gabriel
- 490
- 5
- 19