execve with arguments
so far, i’ve only been doing simple program loading using sys_execve in shellcodes. simple in the sense that no arguments are being passed to loaded programs. unfortunately, running a program without any argument produces rather boring outputs. today, i added a bit of twist to things. i tried to implement a shellcode that chroots into a particular directory.
first, an introduction.
chroot or “change root” for that matter makes it possible for a user to run a command or interactive shell within a special ‘user defined’ directory.
of course, a little bit of preparation is required before running chroot. one needs to imitate his/her root directory. here’s how mine went.
first, i made a directory that will act as my fake root.
steph@heaven ~ $ mkdir myroot ; cd myroot
once i’m in my fake root, i’ll be using /bin/bash, /bin/ls and /bin/pwd so i also need to create a bin directory inside my fake root where bash, ls and pwd will reside.
steph@heaven ~/myroot $ mkdir bin
then i copied the bash, ls and pwd binaries into it from my ‘real’ root.
steph@heaven ~/myroot $ cp /bin/bash bin/ steph@heaven ~/myroot $ cp /bin/ls bin/ steph@heaven ~/myroot $ cp /bin/pwd bin/
things are not done yet! i still had to resolve their shared library dependencies for them to work! i first resolved /bin/bash’s dependencies.
steph@heaven ~/myroot $ ldd /bin/bash
linux-gate.so.1 => (0xffffe000)
libdl.so.2 => /lib/libdl.so.2 (0xb7f19000)
libc.so.6 => /lib/libc.so.6 (0xb7e01000)
/lib/ld-linux.so.2 (0xb7f28000)
it uses some files inside /lib! so inside my fake root, i also create a lib directory and copied the shared objects there.
steph@heaven ~/myroot $ mkdir lib steph@heaven ~/myroot $ cp /lib/libdl.so.2 lib/ steph@heaven ~/myroot $ cp /lib/libc.so.6 lib/ steph@heaven ~/myroot $ cp /lib/ld-linux.so.2 lib/
i did the same for ls and pwd. printing their shared dependencies using ldd, then copying them to their respective directories inside my fake root. after copying, i verified if everything was in place.
steph@heaven ~/myroot $ ls -l * bin: total 761 -rwxr-xr-x 1 steph users 680316 Feb 19 15:33 bash -rwxr-xr-x 1 steph users 75268 Feb 19 15:33 ls -rwxr-xr-x 1 steph users 15716 Feb 19 15:26 pwd lib: total 1301 -rwxr-xr-x 1 steph users 83620 Feb 19 15:36 ld-linux.so.2 -rwxr-xr-x 1 steph users 1228960 Feb 19 15:36 libc.so.6 -rwxr-xr-x 1 steph users 10892 Feb 19 15:36 libdl.so.2groovy! my fake root looks like a real simple root now! time to test it.
steph@heaven ~ $ chroot /home/steph/myroot /bin/bash chroot: cannot change root directory to /home/steph/myroot: Operation not permittedoopsie! i guess i better run chroot as “root”.
heaven steph # chroot /home/steph/myroot /bin/bash bash-3.00#
it worked! let’s try running some commands inside the fake root shall we?
heaven steph # chroot /home/steph/myroot /bin/bash bash-3.00# ls bin lib bash-3.00# pwd / bash-3.00# cat bash: cat: command not foundi tried running three commands inside my fake root. first was ls. and it showed the contents of my chrooted directory. next was pwd and it showed my present working directory, that happens to be “/” of my fake root. and lastly, cat. but it didn’t work. that is because i don’t have cat inside my fake root. i only copied three files and their corresponding dependencies. a good chroot directory must have all the important files or binaries for it to be productive. also, it must not contain useless files that won’t be used. in my case, it was the cat command.
lastly, i exited my chroot environment and copied the fake root folder (myroot) to where the real fun will happen. inside my git repository!
steph@heaven ~ $ cp -r myroot ~/git/null/asm/shellcoding/
it was too bad that i had to run chroot as “root”. quite creepy.
next page: the shellcode
(more…)
