[framework] A little offtopic: Get EIP
Clemens Kolbitsch
clemens.kol at gmx.at
Mon Jun 25 13:57:55 CDT 2007
oh yeah... just to make sure
i'm using debian linux, 2.6.20 on a i386.
still happy for help :-)
Clemens Kolbitsch wrote:
> hi guys!
> sorry... i know this is a little off-topic, but this is probably the
> best place to ask for help...
>
> we're developing a linux kernel stager to execute netcat as reverse
> shells (or acutally an app...) very similar to the winXP stager...
>
> everything works really good (you'll hear from us soon ;-) )
>
> however, to try an exploit, i have to obtain the current EIP (and
> store it into some register).
>
> in user-mode, i use
>
> unsigned char *from;
> __asm__ __volatile__("call 0x0");
> __asm__ __volatile__("pop %eax");
> __asm__ __volatile__("mov %%eax,%0" : "=r" (from) : : "%eax");
>
> what works just fine (well, the "call 0x0" must be edited manually
> after compiling, because gcc makes a "call 0xfcffffff" out of it for
> some reason...)
>
> however, when i execute this very same code in kernel mode (during a
> system call or a module init routine, for example) i get
>
> Segmentation fault
> Code: Bad EIP value.
> EIP: [<00000004>] 0x4 SS:ESP 0068:c6afec4
>
> if i change it to "call 0x10" i get
>
> Segmentation fault
> Code: Bad EIP value.
> EIP: [<00000014>] 0x14 ....
>
> so obviously, the relative near-call is treated as a call with
> ABSOLUTE address...
>
> can anybody tell me why?? (or simply how to do this correctly??)
>
> thanks!!
> clemens
>
More information about the framework
mailing list