Hannah Duff
Hannah Duff

Reputation: 13

Execution of function pointer to Shellcode

I'm trying to execute this simple opcode for exit(0) call by overwriting the return address of main. The problem is I'm getting segmentation fault.

#include <stdio.h>

char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00"
                  "/0xb8/0x01/0x00/0x00/0x00"
                  "/0xcd/0x80";

void main()
{
      int *ret;

      ret = (int *)&ret + 2; // +2 to get to the return address on the stack

      (*ret) = (int)shellcode;   

}

Execution result in Segmentation error.

[user1@fedo BOF]$ gcc -o ExitShellCode ExitShellCode.c

[user1@fedo BOF]$ ./ExitShellCode

Segmentation fault (core dumped)

This is the Objdump of the shellcode.a

[user1@fedo BOF]$ objdump -d exitShellcodeaAss

exitShellcodeaAss:     file format elf32-i386


Disassembly of section .text:

08048054 <_start>:
 8048054:       bb 14 00 00 00          mov    $0x14,%ebx
 8048059:       b8 01 00 00 00          mov    $0x1,%eax
 804805e:       cd 80                   int    $0x80

System I'm using

fedora Linux 3.1.2-1.fc16.i686 
ASLR is disabled.
Debugging with GDB.
gcc version 4.6.2

Upvotes: 1

Views: 6266

Answers (5)

sinkmanu
sinkmanu

Reputation: 1112

If you want the shellcode be executed in the stack you must compile without NX (stack protector) and with correct permissions.

gcc -fno-stack-protector -z execstack shellcode.c -o shellcode

E.g.

#include <stdio.h>
#include <string.h>

const char code[] ="\xbb\x14\x00\x00\x00"
              "\xb8\x01\x00\x00\x00"
              "\xcd\x80";


int main()
{
    printf("Length: %d bytes\n", strlen(code));
    (*(void(*)()) code)();
    return 0;
}

If you want to debug it with gdb:

[manu@debian /tmp]$ gdb ./shellcode 
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
...
Reading symbols from ./shellcode...(no debugging symbols found)...done.
(gdb) b *&code
Breakpoint 1 at 0x4005c4
(gdb) r
Starting program: /tmp/shellcode 
Length: 2 bytes

Breakpoint 1, 0x00000000004005c4 in code ()
(gdb) disassemble 
Dump of assembler code for function code:
=> 0x00000000004005c4 <+0>: mov    $0x14,%ebx
   0x00000000004005c9 <+5>: mov    $0x1,%eax
   0x00000000004005ce <+10>:    int    $0x80
   0x00000000004005d0 <+12>:    add    %cl,0x6e(%rbp,%riz,2) 
End of assembler dump.

In this proof of concept example is not important the null bytes. But when you are developing shellcodes you should keep in mind and remove the bad characters.

Upvotes: 0

Carlos
Carlos

Reputation: 1

Shellcode cannot have Zeros on it. Remove the null characters.

Upvotes: -1

yeyo
yeyo

Reputation: 3009

mmm maybe it is to late to answer to this question, but they might be a passive syntax error. It seems like thet shellcode is malformed, I mean:

char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00"
                  "/0xb8/0x01/0x00/0x00/0x00"
                  "/0xcd/0x80";

its not the same as:

char shellcode[]= "\xbb\x14\x00\x00\x00"
                  "\xb8\x01\x00\x00\x00"
                  "\xcd\x80";

although this fix won't help you solving this problem, but have you tried disabling some kernel protection mechanism like: NX bit, Stack Randomization, etc... ?

Upvotes: 2

user1064504
user1064504

Reputation: 593

You can also execute shellcode like in this scenario, by casting the buffer to a function like

(*(int(*)()) shellcode)();

Upvotes: 0

Sebastian
Sebastian

Reputation: 8164

Based on two other questions, namely How to determine return address on stack? and C: return address of function (mac), i'm confident that you are not overwriting the correct address. This is basically caused due to your assumption, that the return address can be determined in the way you did it. But as the answer to thefirst question (1) states, this must not be the case.

Therefore:

  1. Check if the address is really correct
  2. Find a way for determining the correct return address, if you do not want to use the builtin GCC feature

Upvotes: 0

Related Questions