Execution of function pointer to Shellcode

Question

I'm trying to execute this simple opcode for exit(0) call by overwriting the return address of main. The problem is I'm getting segmentation fault.

#include <stdio.h>

char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00"
                  "/0xb8/0x01/0x00/0x00/0x00"
                  "/0xcd/0x80";

void main()
{
      int *ret;

      ret = (int *)&ret + 2; // +2 to get to the return address on the stack

      (*ret) = (int)shellcode;   

}

Execution result in Segmentation error.

[user1@fedo BOF]$ gcc -o ExitShellCode ExitShellCode.c

[user1@fedo BOF]$ ./ExitShellCode

Segmentation fault (core dumped)

This is the Objdump of the shellcode.a

[user1@fedo BOF]$ objdump -d exitShellcodeaAss

exitShellcodeaAss:     file format elf32-i386


Disassembly of section .text:

08048054 <_start>:
 8048054:       bb 14 00 00 00          mov    $0x14,%ebx
 8048059:       b8 01 00 00 00          mov    $0x1,%eax
 804805e:       cd 80                   int    $0x80

System I'm using

fedora Linux 3.1.2-1.fc16.i686 
ASLR is disabled.
Debugging with GDB.
gcc version 4.6.2

Answer 1

If you want the shellcode be executed in the stack you must compile without NX (stack protector) and with correct permissions.

gcc -fno-stack-protector -z execstack shellcode.c -o shellcode

E.g.

#include <stdio.h>
#include <string.h>

const char code[] ="\xbb\x14\x00\x00\x00"
              "\xb8\x01\x00\x00\x00"
              "\xcd\x80";


int main()
{
    printf("Length: %d bytes\n", strlen(code));
    (*(void(*)()) code)();
    return 0;
}

If you want to debug it with gdb:

[manu@debian /tmp]$ gdb ./shellcode 
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
...
Reading symbols from ./shellcode...(no debugging symbols found)...done.
(gdb) b *&code
Breakpoint 1 at 0x4005c4
(gdb) r
Starting program: /tmp/shellcode 
Length: 2 bytes

Breakpoint 1, 0x00000000004005c4 in code ()
(gdb) disassemble 
Dump of assembler code for function code:
=> 0x00000000004005c4 <+0>: mov    $0x14,%ebx
   0x00000000004005c9 <+5>: mov    $0x1,%eax
   0x00000000004005ce <+10>:    int    $0x80
   0x00000000004005d0 <+12>:    add    %cl,0x6e(%rbp,%riz,2) 
End of assembler dump.

In this proof of concept example is not important the null bytes. But when you are developing shellcodes you should keep in mind and remove the bad characters.

Answer 2

Shellcode cannot have Zeros on it. Remove the null characters.

Answer 3

mmm maybe it is to late to answer to this question, but they might be a passive syntax error. It seems like thet shellcode is malformed, I mean:

char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00"
                  "/0xb8/0x01/0x00/0x00/0x00"
                  "/0xcd/0x80";

its not the same as:

char shellcode[]= "\xbb\x14\x00\x00\x00"
                  "\xb8\x01\x00\x00\x00"
                  "\xcd\x80";

although this fix won't help you solving this problem, but have you tried disabling some kernel protection mechanism like: NX bit, Stack Randomization, etc... ?

Answer 4

You can also execute shellcode like in this scenario, by casting the buffer to a function like

(*(int(*)()) shellcode)();

Answer 5

Based on two other questions, namely How to determine return address on stack? and C: return address of function (mac), i'm confident that you are not overwriting the correct address. This is basically caused due to your assumption, that the return address can be determined in the way you did it. But as the answer to thefirst question (1) states, this must not be the case.

Therefore:

1. Check if the address is really correct
2. Find a way for determining the correct return address, if you do not want to use the builtin GCC feature