CODEWITHSUNDEEP
cassemblycallstackshellcode
aidin jalalvandi
aidin jalalvandi

Reputation: 27

Why this little shellcode works in a C program,but not alone?

This shellcode does not work when assembled

 Section    .text

    global _start

_start:

    jmp       GotoCall

shellcode:

     pop             edi               
     xor             eax, eax          
     mov byte        [edi + 7], al     
     lea             ebx, [edi]        
     mov long        [edi + 8], ebx    
     mov long        [edi + 12], eax   
     mov byte        al, 0x0b         
     mov             ebx, edi      
     lea             ecx, [edi + 8]    
     lea             edx, [edi + 12]   
     int             0x80

GotoCall:

     Call             shellcode
     db              '/bin/shJAAAAKKKK'

This little shellcode will work in this C program called "Shellcode tester".

#shellcode tester

char shellcode[] = "\xe9\x1a\x00\x00\x00\x5f\x31\xc0\x88\x47\x07\x8d\x1f\x89\x5f\x08\x89\x47\x0c\xb0\x0b\x89\xfb\x8d\x4f\x08\x8d\x57\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4a\x41\x41\x41\x41\x4b\x4b\x4b\x4b";               

int main(int argc, char *argv[])
{
    int (*ret)();              /* ret is a function pointer */
        ret = (int(*)())shellcode; /* ret points to our shellcode */
                                   /* shellcode is type caste as a function */
        (int)(*ret)();             /* execute, as a function, shellcode[] */
        exit(0);                   /* exit() */
}

But, it won't work when i assemble and link it,why exactly?
When i debugged it with GDB the problem was EDI Register in this line, the EDI is pointing exactly to strings that exist in stack, i mean the bytes in ascii.

mov byte        [edi + 7], al

This shellcode does work when assembled
Another shellcode that i found is this

Section .text

global _start

_start:

    jmp    GotoCall

shellcode:

 xor eax, eax     ;zero out eax
 push eax         ;push 00000000 on to the stack
 push 'n/sh'      ;push hex //bin/sh on to the stack
 push '//bi'
                  ;at this point the stack contains //bin/sh0x00000000
 mov ebx, esp     ;this satisfies the requirements for *filename (first argument 
                   of execve)
 push eax         ;push 00000000 on to the stack
                  ;at this point the stack contains 0x00000000//bin/sh0x00000000
 mov edx, esp
 push ebx         ;ebx contains the memory address of the stack where 
                   //bin/sh0x00000000 is.
 mov ecx, esp     ;this satisfies the requirements for argv (second argument of 
                     execve)
 mov al, 11       ;execve syscall number, 0xb works also.
 int 0x80         ;initiate


GotoCall:

     Call             shellcode

it's funny, because this shellcode program exactly works with "Shellcode Test" program in C when i put the opcodes there and completely work alone too.

Please tell me why the first "shellcode" doesn't work alone and the second one does?

Upvotes: 0

Views: 127

Answers (1)

Kaz
Kaz

Reputation: 58578

char shellcode[] defines a mutable static array.

db defines storage that is in the .text section of the program. On GNU/Linux, that is not writable; the program text is mapped into pages of virtual memory that are marked read-only.

A fix would be to stick the null byte into the db definition, rather than trying to put it in there at run-time.

Upvotes: 2

Related Questions