1

I'm trying to execute this simple opcode for exit(0) call by overwriting the return address of main. The problem is I'm getting segmentation fault.

#include <stdio.h>

char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00"
                  "/0xb8/0x01/0x00/0x00/0x00"
                  "/0xcd/0x80";

void main()
{
      int *ret;

      ret = (int *)&ret + 2; // +2 to get to the return address on the stack

      (*ret) = (int)shellcode;   

}

Execution result in Segmentation error.

[user1@fedo BOF]$ gcc -o ExitShellCode ExitShellCode.c

[user1@fedo BOF]$ ./ExitShellCode

Segmentation fault (core dumped)

This is the Objdump of the shellcode.a

[user1@fedo BOF]$ objdump -d exitShellcodeaAss

exitShellcodeaAss:     file format elf32-i386


Disassembly of section .text:

08048054 <_start>:
 8048054:       bb 14 00 00 00          mov    $0x14,%ebx
 8048059:       b8 01 00 00 00          mov    $0x1,%eax
 804805e:       cd 80                   int    $0x80

System I'm using

fedora Linux 3.1.2-1.fc16.i686 
ASLR is disabled.
Debugging with GDB.
gcc version 4.6.2
Improve this question
2
  • possible duplicate of shellcodes not working Commented Dec 13, 2011 at 12:02
  • Actually Different problem, I've just fixed it, but I don't know why. The problem was with the +2, changed it to 1. Commented Dec 13, 2011 at 12:18

5 Answers 5

Reset to default
2

mmm maybe it is to late to answer to this question, but they might be a passive syntax error. It seems like thet shellcode is malformed, I mean:

char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00"
                  "/0xb8/0x01/0x00/0x00/0x00"
                  "/0xcd/0x80";

its not the same as:

char shellcode[]= "\xbb\x14\x00\x00\x00"
                  "\xb8\x01\x00\x00\x00"
                  "\xcd\x80";

although this fix won't help you solving this problem, but have you tried disabling some kernel protection mechanism like: NX bit, Stack Randomization, etc... ?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Based on two other questions, namely How to determine return address on stack? and C: return address of function (mac), i'm confident that you are not overwriting the correct address. This is basically caused due to your assumption, that the return address can be determined in the way you did it. But as the answer to thefirst question (1) states, this must not be the case.

Therefore:

  1. Check if the address is really correct
  2. Find a way for determining the correct return address, if you do not want to use the builtin GCC feature
Improve this answer

Comments

0

You can also execute shellcode like in this scenario, by casting the buffer to a function like

(*(int(*)()) shellcode)();
Improve this answer

Comments

0

If you want the shellcode be executed in the stack you must compile without NX (stack protector) and with correct permissions.

gcc -fno-stack-protector -z execstack shellcode.c -o shellcode

E.g.

#include <stdio.h>
#include <string.h>

const char code[] ="\xbb\x14\x00\x00\x00"
              "\xb8\x01\x00\x00\x00"
              "\xcd\x80";


int main()
{
    printf("Length: %d bytes\n", strlen(code));
    (*(void(*)()) code)();
    return 0;
}

If you want to debug it with gdb:

[manu@debian /tmp]$ gdb ./shellcode 
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
...
Reading symbols from ./shellcode...(no debugging symbols found)...done.
(gdb) b *&code
Breakpoint 1 at 0x4005c4
(gdb) r
Starting program: /tmp/shellcode 
Length: 2 bytes

Breakpoint 1, 0x00000000004005c4 in code ()
(gdb) disassemble 
Dump of assembler code for function code:
=> 0x00000000004005c4 <+0>: mov    $0x14,%ebx
   0x00000000004005c9 <+5>: mov    $0x1,%eax
   0x00000000004005ce <+10>:    int    $0x80
   0x00000000004005d0 <+12>:    add    %cl,0x6e(%rbp,%riz,2) 
End of assembler dump.

In this proof of concept example is not important the null bytes. But when you are developing shellcodes you should keep in mind and remove the bad characters.

Improve this answer

Comments

-1

Shellcode cannot have Zeros on it. Remove the null characters.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.