3

I'm learning the basics of computer security and I'm trying to execute some shellcode I've written. I followed the steps given here

http://dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf

http://webcache.googleusercontent.com/search?q=cache:O3uJcNhsksAJ:dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf+own+shellcode&cd=1&hl=nl&ct=clnk&gl=nl

$ cat pause.s
xor %eax,%eax
mov $29,%al     
int $0x80       
$ as -o pause.o pause.s
$ ld -o pause pause.o
ld: warning: cannot find entry symbol _start; defaulting to <<some address here>>
$ ./pause 
^C
$ objdump -d ./pause
pause:     file format elf64-x86_64
Disassembly of section .text:
      08048054 <.text>:
      8048054: 31 c0     xor    %eax,%eax
      8048056: b0 1d     mov    $0x1d,%al
      8048058: cd 80     int    $0x8
$

Since I got my pause program to work, I just copied the objdump output to a c file.

test.c:

int main()
{
    char s[] = "\x31\xc0\xb0\x1d\xcd\x80";
    (*(void(*)())s)();
}

But this produces a segfault. Now, this can only be due to security measures of Arch Linux (?). So how can I get this to work?

Improve this question
6
  • 1
    possibly the page s lives in isn't mapped with execute permissions? since you're x86_64 you definitely have NX support in hardware. Commented Sep 15, 2011 at 14:01
  • Replaced link by a 'safer' link to a google doc. Can you confirm that it is the same document? The other link froze PC using adobe reader 9.1.0 Commented Sep 15, 2011 at 14:03
  • @awoodland Right you are! I certainly did not know anything about NX bit. For anyone looking to map exec permissions (using mmap), instructions are here: thexploit.com/tag/shellcode Commented Sep 15, 2011 at 14:23
  • @sehe I can't open the link you posted. I've reverted it back to the original. Perhaps it's Adobe? Commented Sep 15, 2011 at 14:24
  • @Ram: well duh. What else. Kindly put up a warning? I don't think it is acceptable to post documents that have DoS potential. Especially not in posts that are about shellcode exploits. Commented Sep 15, 2011 at 14:29

2 Answers 2

Reset to default
8

The page s lives in isn't mapped with execute permissions. Since you're on x86_64 you definitely have NX support in hardware. By default these days code and data live in very separate pages, with data not having the execute permission.

You can work around this with either mmap() or mprotect() to allocate or alter pages to have the PROT_EXEC permission.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You can also use a #define to define your shellcode. This way the pre-processor will insert the code directly into main

  #define SHELLCODE "\x31\xc0\xb0\x1d\xcd\x80"
  int main()
  {
     (*(void(*)())SHELLCODE)();
  }

The older style of writing shellcode doesn't work on newer systems because of security measures. You will also probably have to compile with stack protection turned off:

 gcc -z execstack -fno-stack-protector shellcode.c -o shellcode

Here is a fully working example that uses exit system call that I've tested on 3.2.0.3 kernel x86_64:

 #include<stdio.h>

 #define SHELLCODE "\x48\xc7\xc0\x3c\x00\x00\x00\x48\xc7\xc7\xe7\x03\x00\x00\x0f\05"

  main() 
  {
  int (*function)();

   // cast shellcode as a function
   function = (int(*)())SHELLCODE;

   // execute shellcode function
   (int)(*function)();
   return 0;
   }

The shellcode is using 64 bit registers, so it won't work on 32bit machine. To verify that the code works, you can test it with strace:

strace shellcode
execve("./shellcode", ["shellcode"], [/* 38 vars */]) = 0
....
munmap(0x7ffff7fd5000, 144436)          = 0
_exit(999)        <---- we passed 999 to exit, our shellcode works!
Improve this answer

1 Comment

I appreciate your dedication to improve the archives. Though I'm unable to verify, your answer makes sense. Thank you.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.