This was a C program in the beginning then converted to nasm
but no luck trying to put into shellcode format. (segment fault)
global main
extern printf
SECTION .text align=4
main:
push rbp
mov rbp, rsp
mov eax, L_001
mov rdi, rax
mov eax, 0
call printf
mov eax, 0
leave
ret
SECTION .data align=4
SECTION .bss align=4
SECTION .rodata
L_001:
db 48H, 65H, 6CH, 6CH, 6FH, 20H, 74H, 68H
db 65H, 72H, 65H, 00H
This was written on a x86_64 platform of CentOS
C wrapper program(shellcode format)
char code[] = "\x48\x65\x6c\x6c\x6f\x20\x74\x68\x65\x72\x65\x00";
int main(int argc, char **argv)
{
(*(void(*)())code)();
return 0;
}
Related
C code
#include <stdio.h>
int fibonacci(int);
int main()
{
int x = fibonacci(3);
printf("Fibonacci is : %d",x);
return 0;
}
Assembly
section .text
global fibonacci
fibonacci:
push ebp;
mov ebp, esp;
; initialize
mov dword [prev], 0x00000000;
mov dword [cur], 0x00000001;
mov byte [it], 0x01;
mov eax, dword [ebp + 8]; // n = 3
mov byte [n], al;
getfib:
xor edx,edx;
mov dl, byte [n];
cmp byte [it] , dl;
jg loopend;
mov eax,dword [prev];
add eax, dword [cur];
mov ebx, dword [cur];
mov dword [prev], ebx;
mov dword [cur] , eax;
inc byte [it];
jmp getfib;
loopend:
mov eax, dword [cur];
pop ebp;
ret;
section .bss
it resb 1
prev resd 1
cur resd 1
n resb 1
I was trying to run this assembly function in C code and on debugging , i saw that value in variable x in C code is right but there is some error coming when i use the printf function
Need Help on it
Command to compile:
nasm -f elf32 asmcode.asm -o a.o
gcc -ggdb -no-pie -m32 a.o ccode.c -o a.out
Click Below Pictures if they seem blurred
Below is debug before printf execute
Below is after printf execute
Your code does not preserve the ebx register which is a callee-preserved register. The main function apparently tries to do some rip-relative addressing to obtain the address of the format string for printf using ebx as a base register. This fails because your code overwrote ebx.
To fix this issue, make sure to save all callee-saved registers before you use them and then restore their value on return. For example, you can do
fibonacci:
push ebp
mov ebp, esp
push ebx ; <---
...
pop ebx ; <---
pop ebp
ret
This shellcode does not work when assembled
Section .text
global _start
_start:
jmp GotoCall
shellcode:
pop edi
xor eax, eax
mov byte [edi + 7], al
lea ebx, [edi]
mov long [edi + 8], ebx
mov long [edi + 12], eax
mov byte al, 0x0b
mov ebx, edi
lea ecx, [edi + 8]
lea edx, [edi + 12]
int 0x80
GotoCall:
Call shellcode
db '/bin/shJAAAAKKKK'
This little shellcode will work in this C program called "Shellcode tester".
#shellcode tester
char shellcode[] = "\xe9\x1a\x00\x00\x00\x5f\x31\xc0\x88\x47\x07\x8d\x1f\x89\x5f\x08\x89\x47\x0c\xb0\x0b\x89\xfb\x8d\x4f\x08\x8d\x57\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4a\x41\x41\x41\x41\x4b\x4b\x4b\x4b";
int main(int argc, char *argv[])
{
int (*ret)(); /* ret is a function pointer */
ret = (int(*)())shellcode; /* ret points to our shellcode */
/* shellcode is type caste as a function */
(int)(*ret)(); /* execute, as a function, shellcode[] */
exit(0); /* exit() */
}
But, it won't work when i assemble and link it,why exactly?
When i debugged it with GDB the problem was EDI Register in this line, the EDI is pointing exactly to strings that exist in stack, i mean the bytes in ascii.
mov byte [edi + 7], al
This shellcode does work when assembled
Another shellcode that i found is this
Section .text
global _start
_start:
jmp GotoCall
shellcode:
xor eax, eax ;zero out eax
push eax ;push 00000000 on to the stack
push 'n/sh' ;push hex //bin/sh on to the stack
push '//bi'
;at this point the stack contains //bin/sh0x00000000
mov ebx, esp ;this satisfies the requirements for *filename (first argument
of execve)
push eax ;push 00000000 on to the stack
;at this point the stack contains 0x00000000//bin/sh0x00000000
mov edx, esp
push ebx ;ebx contains the memory address of the stack where
//bin/sh0x00000000 is.
mov ecx, esp ;this satisfies the requirements for argv (second argument of
execve)
mov al, 11 ;execve syscall number, 0xb works also.
int 0x80 ;initiate
GotoCall:
Call shellcode
it's funny, because this shellcode program exactly works with "Shellcode Test" program in C when i put the opcodes there and completely work alone too.
Please tell me why the first "shellcode" doesn't work alone and the second one does?
char shellcode[] defines a mutable static array.
db defines storage that is in the .text section of the program. On GNU/Linux, that is not writable; the program text is mapped into pages of virtual memory that are marked read-only.
A fix would be to stick the null byte into the db definition, rather than trying to put it in there at run-time.
I was trying to overwrite the return address of main() with the address of the shellcode that I wrote in assembly.
My assembly program :
ExitShell.asm
SECTION .text
global _start
_start:
jmp short shellOffset
Shellcode:
pop esi
lea ecx, [esi]
mov dl, 12
mov bl, 1
mov al, 4
int 0x80
mov bl, 20
mov al, 1
int 0x80
shellOffset:
call Shellcode
msg db "Hello World",0xa
My .c file in which I am overwriting the return address :
ShellCode.c
#include<stdio.h>
char shellcode[] = "\xeb\x11\x5e\x8d\x0e\xb2\x0c\xb3\x01\xb0\x04\xcd\x80"\
"\xb3\x14\xb0\x01\xcd\x80\xe8\xea\xff\xff\xff"\
"\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x0a";
void main()
{
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
I compiled the program with the following command :
gcc -O0 -o sh ShellCode.c -fno-stack-protector -zexec -fno-asynchronous-unwind-tables -g
When I executed the program, I received the segmentation fault error. Loading the program into gdb, I found that it was giving the error at ret statement in assembly
Dump of assembler code for function main:
0x080483b4 <+0>: push %ebp
0x080483b5 <+1>: mov %esp,%ebp
0x080483b7 <+3>: sub $0x10,%esp
0x080483ba <+6>: lea -0x4(%ebp),%eax
0x080483bd <+9>: add $0x8,%eax
0x080483c0 <+12>: mov %eax,-0x4(%ebp)
0x080483c3 <+15>: mov -0x4(%ebp),%eax
0x080483c6 <+18>: mov $0x804a040,%edx
0x080483cb <+23>: mov %edx,(%eax)
0x080483cd <+25>: leave
=> 0x080483ce <+26>: ret
What is the issue? I am new to this.
This can have many reasons. You disabled the stack smashing detector, but that doesn't mean, that ret in main is going to be allocated right after the return address. The compiler and linker have some leeway in aligning the variables' addresses to improve performance or to satisfy CPU alignment requirements.
Another issue is, that shellcode will be placed in the .data segment, which may be set nonexecutable, so main returning to shellcode would trigger that trap.
I have written a simple c code in visual studio. Here is the code ..
#include<stdio.h>
int global;
int onemore=5;
int main(){
int local;
static int slocal;
return 0;
}
and here is it's assembly after compiling in visual studio ..
; Listing generated by Microsoft (R) Optimizing Compiler Version 15.00.21022.08
TITLE c:\Users\amit_bhaira\Documents\Visual Studio 2008\Projects\AssOneQuestion1\AssOneQuestion1\question1.c
.686P
->.XMM
->include listing.inc
->.model flat
->INCLUDELIB MSVCRTD
INCLUDELIB OLDNAMES
PUBLIC _onemore
_DATA SEGMENT
COMM _global:DWORD
_onemore DD 05H
_DATA ENDS
PUBLIC _main
->EXTRN__RTC_Shutdown:PROC
->EXTRN__RTC_InitBase:PROC
; COMDAT rtc$TMZ
; File c:\users\amit_bhaira\documents\visual studio 2008\projects\assonequestion1\assonequestion1\question1.c
rtc$TMZ SEGMENT
->__RTC_Shutdown.rtc$TMZ DD FLAT:__RTC_Shutdown
rtc$TMZ ENDS
; COMDAT rtc$IMZ
rtc$IMZ SEGMENT
__RTC_InitBase.rtc$IMZ DD FLAT:__RTC_InitBase
; Function compile flags: /Odtp /RTCsu /ZI
rtc$IMZ ENDS
; COMDAT _main
_TEXT SEGMENT
_main PROC ; COMDAT
; 4 : int main(){
push ebp
mov ebp, esp
sub esp, 204 ; 000000ccH
->push ebx
->push esi
->push edi //why these(ebx,esi and edi) registers are pushed into the stack ??
lea edi, DWORD PTR [ebp-204]
mov ecx, 51 ; 00000033H
mov eax, -858993460 ; ccccccccH
rep stosd
; 5 : int local;
; 6 : ->static int slocal;
; 7 : return 0;
xor eax, eax
; 8 : }
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
ret 0
_main ENDP
_TEXT ENDS
END
I have put an arrow(->) in front of the lines that I didn't get. So please explain them.
Though I have taken a static variable inside the main method but no special steps are taken by the
compiler, what is that suppose to mean. Static varialbe is also going to be handled like other local
variable, no special storage for static variable. If Yes then how is the memory of static variable is preserved for the next function call ??
I need to get my char pointer and after that i print it on the screen to see if it works ok.
I read the text from a file and put in my char pointer (sizeof(char*) + filesize) + 1.. in the end i put the '\0'.
If i printf my char* its fine
Here is my asm code
; void processdata(char* filecontent);
section .text
global processdata
extern printf
section .data
FORMAT: db '%c', 10, 0 ; to break the line 10, 0
processdata:
push ebp
mov ebp, esp
mov ebx, [ebp]
push ebx
push FORMAT
call printf
add esp, 8
when i run it i just see trash in my variable.
As violet said:
; void processdata(char* filecontent);
section .text
[GLOBAL processdata] ;global processdata
extern printf
section .data
FORMAT: db '%c', 0
EQUAL: db "is equal", 10, 0
processdata:
lea esi, [esp]
mov ebx, FORMAT
oook:
mov eax, [esi]
push eax
push ebx
call printf
inc esi
cmp esi, 0x0
jnz oook
Thanks
quote demonofnight
But if i need to increment, can i do that?
Using your original function arg of char* and your %c format, something like this:
lea esi, [esp+4]
mov ebx, FORMAT
oook:
mov eax, [esi]
push eax
push ebx
call printf
inc esi
cmp [esi], 0x0
jnz oook
[edit: ok sry, i hacked that quickly into some shenzi winOS inline __asm block]
here's a complete thing done in linux and nasm:
; ----------------------------------------------------------------------------
; blah.asm
; ----------------------------------------------------------------------------
extern printf
SECTION .data ;local variables
fmt: db "next char:%c", 10, 0 ;printf format, "\n",'0'
SECTION .text ;hack in some codes XD
global foo
foo: ;foo entry
push ebp ;set up stack frame
mov ebp,esp
mov esi, [ebp+8] ;load the input char array to the source index
oook: ;loop while we have some chars
push dword [esi] ;push next char addy in string to stack
push dword fmt ;push stored format string to stack
call printf
add esp, 8 ;restore stack pointer
inc esi ;iterate to next char
cmp byte [esi], 0 ;test for null terminator byte
jnz oook
mov esp, ebp ;restore stack frame
pop ebp
mov eax,0 ;return 0
ret ;done
blah.c (that invokes the .asm foo) :
/*-----------------------------------------------
blah.c
invokes some asm foo
------------------------------------------------*/
#include <stdio.h>
void foo(char*);
int main() {
char sz[]={"oook\n"};
foo(sz);
return 0;
}
&here's the commandline stuff:
$ nasm -f elf blah.asm -o blah.o
$ gcc -o blah blah.c blah.o
$ ./blah
next char:o
next char:o
next char:o
next char:k
next char:
$
$ nasm -v
NASM version 2.09.08 compiled on Apr 30 2011
$ uname -a
Linux violet-313 3.0.0-17-generic #30-Ubuntu SMP Thu Mar 8 17:34:21 UTC 2012 i686 i686 i386 GNU/Linux
Hope it works for you ;)
On linux x86 the first function parameter is in ecx. The printf format for printing a pointer is "%p".
So something along
...
FORMAT: db '%p', 10, 0 ; to break the line 10, 0
processdata:
mov eax, [esp+4]
push eax
push format
call printf
add esp, 8
ret
should work, assuming the rest of your code is correct and your are using gcc's calling convention.
This is assuming that the pointer you want to print is on the stack.
The reason for the crash is probably that you push 12 bytes on the stack, but correct the stack pointer by only 8.