basic shellcode - why it runs on my system, if .data is not executable


 
Thread Tools Search this Thread
Special Forums Cybersecurity basic shellcode - why it runs on my system, if .data is not executable
# 1  
Old 06-05-2012
basic shellcode - why it runs on my system, if .data is not executable

Greetings,

Suppose we have this piece of code, on Linux/i686
(my machine is Slackware Linux 13.1, 32 bit):

Code:
char sc[]=                 /* 24 bytes                       */     "\x31\xc0"             /* xorl    %eax,%eax              */     "\x50"                 /* pushl   %eax                   */     "\x68""//sh"           /* pushl   $0x68732f2f            */     "\x68""/bin"           /* pushl   $0x6e69622f            */     "\x89\xe3"             /* movl    %esp,%ebx              */     "\x50"                 /* pushl   %eax                   */     "\x53"                 /* pushl   %ebx                   */     "\x89\xe1"             /* movl    %esp,%ecx              */     "\x99"                 /* cdql                           */     "\xb0\x0b"             /* movb    $0x0b,%al              */     "\xcd\x80"             /* int     $0x80                  */ ;  main() {         int *ret;          ret = (int *)&ret + 2;         *ret = sc;  }

What happens in the shellcode sc[] is a system call to execve, for /bin/sh. The question is : WHY this program works ? Because if we compile it, and run pmap and gdb on it, we can see a read & exec page, from virtual address 0x08048000, page in which exists the function main(), and we see another page, read & write (but no exec), from address 0x08049000, in which exists sc[].

In main, the only thing we do is to overwrite the return-address of main() with the address of sc[], which is in a non-executable page.

Question 1 : So, WHY on my Slackware 13.1 system it works ?

(On other systems, like Ubuntu, it seems it doesn't work, only if we enable with execstack the stack - stack executable.)

(Slackware Linux 13.1 : Linux kernel 2.6.33, GCC 4.4.4, /proc/sys/kernel/randomize_va_space == 1)


Question 2 :

Suppose we have this code :
Code:
#include <stdio.h>  char sc[]=              /* 24 bytes                       */     "\x31\xc0"             /* xorl    %eax,%eax              */     "\x50"                 /* pushl   %eax                   */     "\x68""//sh"           /* pushl   $0x68732f2f            */     "\x68""/bin"           /* pushl   $0x6e69622f            */     "\x89\xe3"             /* movl    %esp,%ebx              */     "\x50"                 /* pushl   %eax                   */     "\x53"                 /* pushl   %ebx                   */     "\x89\xe1"             /* movl    %esp,%ecx              */     "\x99"                 /* cdql                           */     "\xb0\x0b"             /* movb    $0x0b,%al              */     "\xcd\x80"             /* int     $0x80                  */ ;  main() {         int *ret;          ret = (int *)&ret + 2;         *ret = sc;           printf("Security\n"); }

Why it doesn't work ? Why we don't get a shell prompt ? (Compared to question 1.) The only thing that is different is the call to printf, so the modified return address of main remains untouched, after printf().
References : http://www.enderunix.org/docs/en/bof-eng.txt .:: Phrack Magazine ::.Thank you for your help.
A.
# 2  
Old 06-14-2012
The CPU type being compiled for may have an effect here.
# 3  
Old 06-14-2012
Because you change what is on the stack at exit.

Try reading J Koziol 'Shellcoders Handbook'. If I were you I'd avoid phrack.
Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Inputs required in decoding file on AIX- executable (RISC System/6000) or object module not stripped

Hi, We are in the process of migrating from AIX to Linux. There is a script of type "executable (RISC System/6000) or object module not stripped" on AIX and we are unable to read the contents of it. Is there a way to read the contents of the file on AIX, so that we can rewrite the code in... (3 Replies)
Discussion started by: venkatesh17
3 Replies

2. Shell Programming and Scripting

basic data validation

hpux. older version. don't have alot of the newer features in some utilities. How do I verify that a variable starts with the letter A. I would like to make it case insensitive. Also, if I have a variable that has letters and numbers. I want to change all the lower case letters to upper case.... (2 Replies)
Discussion started by: guessingo
2 Replies

3. UNIX for Dummies Questions & Answers

Basic System Info Template

If your boss ask you to create a template for all UNIX systems. Max 10 questions of the system. What would you put down? The system can be any UNIX flavor. Some examples: 1. system name 2. OS 3. ETC What would be for you the most important and relevants. (2 Replies)
Discussion started by: 300zxmuro
2 Replies

4. Shell Programming and Scripting

Is this a permission issue I got this shl that runs okay in one data base but not in another DB

Is this a permission issue I got this shl that runs okay in one data base but not in another DB in UNIX i changed the real names for xxx for this post !/bin/ksh set -x ##SID="$1"; ##SIDQ="@${SID}"; ##ORACLE_SID="@${SID}"; # set database name SID=$ORACLE_SID; LOWER_SID=`echo... (1 Reply)
Discussion started by: rechever
1 Replies

5. Solaris

basic hardware & system requirements for solaris 10

hi all, i want to setup a solaris10 lab for 50 trainees. kindly let me know all the basic hardware & system requirements for the lab . with regards, Raj (5 Replies)
Discussion started by: rajp_8007
5 Replies

6. Solaris

Submit A Basic System Administration Command

Come and create a new thread to post a basic system administration command to share with all .. :) #df -h -- to list down mounted filesystem with the capacity #uname -a -- to provide brief system information (7 Replies)
Discussion started by: osca7578
7 Replies

7. Shell Programming and Scripting

Basic menu system

Hi Could anyone please tell me how to create a basic menu system that enables a user to select and run a script from a list of choices? I was thinking along the lines of "push 1 to start script 1", "push 2 to start script 2" etc If anyone could help that would be great, thank you (2 Replies)
Discussion started by: straight_edge
2 Replies
Login or Register to Ask a Question