I am learning assembly and I wrote this shellcode which is supposed to open the Google homepage on firefox. However it doesn't do anything (and even segfaults at the end because of an added instruction add %al,(%rax) which I don't understand), do I do things right ? I am actually not even sure I encoded the strings correctly. Thanks !
global _start
_start:
xor rax, rax
push rax
;https:////www.google.com
push 0x6d6f632e656c676f
push 0x6f672e7777772f2f
push 0x2f2f3a7370747468
mov rcx, rsp
push 0x786f66657269662f ; /firefox
push 0x6e69622f7273752f ; /usr/bin
mov rdi, rsp
push rax
push rcx
push rdi
mov rsi, rsp
; execve
mov al, 0x3b
syscall
I test my code with :
char code[] = \x48\x31\xc0\x50\x68\x6f\x67\x6c\x65\x68\x2f\x2f\x77\x77\x68\x68\x74\x74\x70\x48\x89\xe1\x68\x2f\x66\x69\x72\x68\x2f\x75\x73\x72\x48\x89\xe7\x50\x51\x57\x48\x89\xe6\xb0\x3b\x0f\x05
int main(int argc, char **argv){
(*(void(*)()) code)();
return 0;
}`
You missed a null terminator on the firefox path. Add a push rax before the firefox hex just like you did with google.com.
Also, to make sure you don't crash due to the lack of an envp variable (i.e. a random rdx), add this line when constructing rsi
...
push rax
mov rdx, rsp # Add this to set rdx = [null]
push rcx
...
This passes in an empty array to envp through the rdx register.
Finally: Normally the push rax is a hack to get past null & newline blocked string inputs. If you're just calling it within your own c code, you can use push 0 instead of push rax and forget the top line xor (Using mov rax, 0x3b for the syscall). You can leave it as-is. This was just a note.