All geek questions in one place

Linux security requirements for executing shellcode

I learn the basics of computer security, and I'm trying to execute some kind of shellcode that I wrote. I followed the steps given here.

http://dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf

http://webcache.googleusercontent.com/search?q=cache:O3uJcNhsksAJ:dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf+own+shellcode&cd=1&hl=nl&ct=clnk&gl=nl

 $ cat pause.s xor %eax,%eax mov $29,%al int $0x80 $ as -o pause.o pause.s $ ld -o pause pause.o ld: warning: cannot find entry symbol _start; defaulting to <<some address here>> $ ./pause ^C $ objdump -d ./pause pause: file format elf64-x86_64 Disassembly of section .text: 08048054 <.text>: 8048054: 31 c0 xor %eax,%eax 8048056: b0 1d mov $0x1d,%al 8048058: cd 80 int $0x8 $

Since I got my program to pause, I just copied the output of objdump into the c file.

test.c:

 int main() { char s[] = "\x31\xc0\xb0\x1d\xcd\x80"; (*(void(*)())s)(); }

But this creates a segfault. Now this can only be associated with Arch Linux security measures (?). So how can I make this work?

+1
source share
2 answers

Page s live is not displayed with execute permissions. Since you are on x86_64, you definitely have NX hardware support. By default, these days the code and data live on separate pages, and the data does not have permission to execute.

You can get around this with mmap() or mprotect() to place or modify pages to allow PROT_EXEC permission.

+6
source

You can also use #define to define your shellcode. Thus, the pre-processor will embed the code directly in the main

  #define SHELLCODE "\x31\xc0\xb0\x1d\xcd\x80" int main() { (*(void(*)())SHELLCODE)(); }

An older shellcode style does not work on newer systems due to security concerns. You may also have to compile with stack protection disabled:

  gcc -z execstack -fno-stack-protector shellcode.c -o shellcode

Here is a fully working example that uses the exit system call that I tested on the 3.2.0.3 x86_64 kernel:

  #include<stdio.h> #define SHELLCODE "\x48\xc7\xc0\x3c\x00\x00\x00\x48\xc7\xc7\xe7\x03\x00\x00\x0f\05" main() { int (*function)(); // cast shellcode as a function function = (int(*)())SHELLCODE; // execute shellcode function (int)(*function)(); return 0; }

Shellcode uses 64-bit registers, so it will not work on a 32-bit machine. To make sure the code works, you can check it with strace:

 strace shellcode execve("./shellcode", ["shellcode"], [/* 38 vars */]) = 0 .... munmap(0x7ffff7fd5000, 144436) = 0 _exit(999) <---- we passed 999 to exit, our shellcode works!
0
source

Source: https://habr.com/ru/post/1239335/

More articles:


All Articles