0

Hi Stack Overflow community,

I am currently working on a CTF challenge, where I need to perform a buffer overflow on a C program and then execute a shellcode to create and write to a file. The given C program is as follows:

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char** argv)
{
    setuid(0);
    char buffer[500];
    strcpy(buffer, argv[1]);

    return 0;
}

I successfully executed a shellcode that spawns a shell using GDB and a NOP sled. However, I now want to create a shellcode that writes to a file instead. I started by writing a simple x86 assembly code for it, compiling it, and using objdump to retrieve the hex representation, but it doesn't seem to work. The program exits normally, and no file is created.

Here's the x86 assembly code I've written:

global _start
_start:
shellcode:
      jmp before_string
after_jump:
      mov ebx            ; address of "id.txt" string
      xor ecx, ecx        ; Zeroing ecx
      xor eax, eax       ; Zeroing eax
      xor edx, edx       ; Zeroing edx

      mov al, 0x05       ; Open system call
      mov ecx, 0x41       ; O_WRONLY

      mov [ebx+6], dl    ; NULL terminator for "helloworld.txt"
      int 0x80           ; call open("id.txt", 1, 0). File descriptor is returned in eax

      mov ebx, eax       ; Move file descriptor to ebx
      ;Write system call

shellcode_1:
    jmp before_write
after_jump_write:
      pop ecx            ; address of "hello" string
      xor edx, edx       ; Zeroing edx
      xor eax, eax       ; Zeroing eax
      mov [ebx+9], dl    ; NULL terminator for "helloworld.tx"
      mov edx, 0x09      ; length of "hello" string in bytes
      mov al, 0x04       ; write system call
      int 0x80           ; call write(1, "", 9)

      xor eax, eax
      xor ebx, ebx
      mov al, 0x1        ; exit system call
      int 0x80

before_string:
      call after_jump

string_open:
      db "helloworld.txt"

before_write:
      call after_jump_write

string_write:
      db "hello"

I'm not sure why the shellcode isn't working as intended. Can anyone help me identify the issue or provide any guidance on how to correctly create a shellcode to write to a file in x86 assembly after performing a buffer overflow? Any help would be much appreciated. Thank you!

Improve this question
7
  • 1
    Is the payload padded correct? Have you verified that you shellcode is executing at all? If so, what do you mean by "it isn't working as intended" ? What does it do, what isn't it doing? Commented May 4, 2023 at 16:38
  • 3
    What is mov ebx without a second parameter? Commented May 4, 2023 at 16:39
  • 1
    I assume that mov ebx is supposed to be pop ebx, to load the address pushed by call. Commented May 4, 2023 at 16:58
  • 1
    Your shellcode has some 00 bytes in it: mov ecx, 0x41 should be lea ecx, [edx+0x41] or whatever other method you want of generating a constant in a register with machine code free of zeros. Tips for golfing in x86/x64 machine code . Single-step your exploit in a debugger to see what instructions run after main returns into your buffer. Commented May 4, 2023 at 17:01
  • 2
    Did you try with a simpler shellcode? Also, in vulnerability research, the source code is almost completely irrelevant, since different compilers can emit different assembly code, not to mention different protections Commented May 6, 2023 at 17:34
Related questions
2
unable to read from file when user provides filename (x86 assembly program using nasm)
0
Why is 64-bit NASM insisting on the RSI register ? Why can't I put "hello world" into RCX register and use SYSCALL?
38
Jumping to the next "instruction" using gdb
Load 2 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.