EggHunter not finding the egg (32bit), causing infinite loop
I have 1 example, that prints We found the egg! which works, and another the prints Hello egg! that isn't working.
Both use the same egg 0x90f890f9
I think the problem may be here:
cmp dword [ecx], 0x90f890f9 ; marker
Here is the c code:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
unsigned char egghunter[21];
void main()
{
/* works OK (We found the egg!)
"\x90\xf9\x90\xf8\x90\x68\x21\x0a\x0a\x0a\x68\x20\x65\x67\x67\x68\x20\x74\x68"
"\x65\x68\x6f\x75\x6e\x64\x68\x57\x65\x20\x66\x31\xc9\xb1\x12\x51\xb8"
"\x11\x11\x51\x08\x50\x31\xc0\x50\x54\x51\x89\xe6\x83\xc6\x14\x03\x74"
"\x24\x10\x2b\x34\x24\x56\x89\xf1\xeb\x1c\xeb\x0c\x59\x59\xe2\xe8\x31"
"\xdb\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\xa2\x8d\x5c\x24\x0c\x31\xc9"
"\xcd\x80\xeb\xe6\x31\xd2\xb2\x01\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd"
"\x80\xeb\xd4";
*/
/* gives an infinite loop (suppose to print Hello egg!)
"\x90\xf9\x90\xf8\x90\xeb\x17\x31\xc0\xb0\x04\x31\xdb\xb3\x01\x59\x31\xd2\xb2\x0b\xcd\x80"
"\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe4\xff\xff\xff\x48\x65\x6c\x6c"
"\x6f\x20\x65\x67\x67\x21\x0a";
*/
unsigned char shellcode[256] = \
"\x90\xf9\x90\xf8\x90\xeb\x17\x31\xc0\xb0\x04\x31\xdb\xb3\x01\x59\x31\xd2\xb2\x0b\xcd\x80"
"\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe4\xff\xff\xff\x48\x65\x6c\x6c"
"\x6f\x20\x65\x67\x67\x21\x0a";
printf("Shellcode: %d bytes\n", strlen(shellcode));
strcpy(egghunter,"\xeb\x0e\x59\x83\xe9\x17\x81\x39\xf9\x90\xf8\x90\xe0\xf8\xff\xe1\xe8\xed\xff\xff\xff");
printf("Egghunter: %d bytes\n", strlen(egghunter));
int (*ret)() = (int(*)())egghunter;
ret();
}
Here is the egghunter code:
global _start
section .text
_start:
jmp call_egghunter
egghunter:
pop ecx ; save addr ptr
sub ecx, 23 ; move addr ptr back
next:
cmp dword [ecx], 0x90f890f9 ; marker
loopnz next ; dec ecx, jump
jmp ecx ; jump to shellcode
call_egghunter:
call egghunter
And the hello egg code that isn't working is:
global _start
section .text
_start:
jmp short call_shellcode
shellcode:
; print hello world on the screen
xor eax, eax
mov al, 0x4
xor ebx, ebx
mov bl, 0x1
pop ecx
xor edx, edx
mov dl, 11
int 0x80
; exit the program gracefully
xor eax, eax
mov al, 0x1
xor ebx, ebx
int 0x80
call_shellcode:
call shellcode
message: db "Hello egg!", 0xA
Your egghunter is a global variable which lives in the data section. Your shellcode is a local variable which lives on the stack. You search for the mark from egghunter downwards, however the usual layout on linux (which I assume you use due to the int 0x80) places the stack above the data section. As such, you are searching in the wrong direction, and whatever you are finding is not your shellcode. In fact, it is part of the code that does the strcpy(egghunter, literal):
0x80494fe: movl $0x90f890f9,0x80497d0
0x8049508: movl $0xe1fff8e0,0x80497d4
0x8049512: movl $0xffffede8,0x80497d8
0x804951c: movw $0xff,0x80497dc
0x8049525: movl $0x80497c8,(%esp)
Learn to use a debugger so you can step through the code and see what it is doing.
Related
I'm trying to implement a simple addition calculator, but I'm not able to store the input in my array. I'm trying to read char by char because I want to use it later to implement a backend for my B compiler (which has the getchar function that reads char by char from stdin). My code is the fallowing:
segment .data
numb db 0, 0, 0, 0
indx db 0
char db '0'
newl db 0ah
msg1 db 'enter a number: '
len1 equ $ - msg1
segment .text
global _start ; defines the entry point
print: ; push msg; push len
pop eax ; removes caller address from stack
pop edx ; gets length
pop ecx ; gets msg
push eax ; pushes CA to stack again
mov ebx , 01h ; tells that it's an output call
mov eax , 04h ; system call (write)
int 80h ; calls it
ret
getc: ; push add; push len
pop eax ; removes caller address from stack
pop ecx ; gets ouput addrress
push eax ; pushes CA to stack again
mov edx , 01h
mov ebx , 00h ; tells that it's an input call
mov eax , 03h ; system call (read)
int 80h ; calls it
ret
exit:
mov ebx , 0 ; sets exit code
mov eax , 01h ; system call (exit)
int 80h ; calls it
_start:
push msg1
push len1
call print
read:
push char
call getc
mov eax , numb
add eax , indx
mov [eax], dword char
inc byte [indx]
mov eax , char
cmp eax , newl
jne read
jmp exit ; exits program
for now I'm just trying to store the input, because I got segfaults from the complete code, so I started stripping off code until I found the error cause.
You probably don't want to insert the newline in the array, so start with checking for the newline:
read:
push char
call getc
mov al, [char]
cmp al, 10
je done
Then load the byte-sized index in an address register, remembering that AL already contains the datum, so pick another register than EAX. Also, instead of adding the array address numb and the index indx yourself, let the CPU do that for your with an addressing mode that has a displacement component ([numb + ebx]):
movzx ebx, byte [indx]
mov [numb + ebx], al
inc byte [indx]
jmp read
done:
jmp exit
There's also the possibility to define the index indx as a dword with indx dd 0. Then the code becomes:
read:
push char
call getc
mov al, [char]
cmp al, 10
je done
mov ebx, [indx]
mov [numb + ebx], al
inc dword [indx]
jmp read
done:
jmp exit
The lesson here is that NASM is different from MASM in how you address memory:
MASM
mov eax, offset MyVar ; Load address of MyVar
mov eax, MyVar ; Load value stored in MyVar
NASM
mov eax, MyVar ; Load address of MyVar
mov eax, [MyVar] ; Load value stored in MyVar
C code
#include <stdio.h>
int fibonacci(int);
int main()
{
int x = fibonacci(3);
printf("Fibonacci is : %d",x);
return 0;
}
Assembly
section .text
global fibonacci
fibonacci:
push ebp;
mov ebp, esp;
; initialize
mov dword [prev], 0x00000000;
mov dword [cur], 0x00000001;
mov byte [it], 0x01;
mov eax, dword [ebp + 8]; // n = 3
mov byte [n], al;
getfib:
xor edx,edx;
mov dl, byte [n];
cmp byte [it] , dl;
jg loopend;
mov eax,dword [prev];
add eax, dword [cur];
mov ebx, dword [cur];
mov dword [prev], ebx;
mov dword [cur] , eax;
inc byte [it];
jmp getfib;
loopend:
mov eax, dword [cur];
pop ebp;
ret;
section .bss
it resb 1
prev resd 1
cur resd 1
n resb 1
I was trying to run this assembly function in C code and on debugging , i saw that value in variable x in C code is right but there is some error coming when i use the printf function
Need Help on it
Command to compile:
nasm -f elf32 asmcode.asm -o a.o
gcc -ggdb -no-pie -m32 a.o ccode.c -o a.out
Click Below Pictures if they seem blurred
Below is debug before printf execute
Below is after printf execute
Your code does not preserve the ebx register which is a callee-preserved register. The main function apparently tries to do some rip-relative addressing to obtain the address of the format string for printf using ebx as a base register. This fails because your code overwrote ebx.
To fix this issue, make sure to save all callee-saved registers before you use them and then restore their value on return. For example, you can do
fibonacci:
push ebp
mov ebp, esp
push ebx ; <---
...
pop ebx ; <---
pop ebp
ret
This shellcode does not work when assembled
Section .text
global _start
_start:
jmp GotoCall
shellcode:
pop edi
xor eax, eax
mov byte [edi + 7], al
lea ebx, [edi]
mov long [edi + 8], ebx
mov long [edi + 12], eax
mov byte al, 0x0b
mov ebx, edi
lea ecx, [edi + 8]
lea edx, [edi + 12]
int 0x80
GotoCall:
Call shellcode
db '/bin/shJAAAAKKKK'
This little shellcode will work in this C program called "Shellcode tester".
#shellcode tester
char shellcode[] = "\xe9\x1a\x00\x00\x00\x5f\x31\xc0\x88\x47\x07\x8d\x1f\x89\x5f\x08\x89\x47\x0c\xb0\x0b\x89\xfb\x8d\x4f\x08\x8d\x57\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4a\x41\x41\x41\x41\x4b\x4b\x4b\x4b";
int main(int argc, char *argv[])
{
int (*ret)(); /* ret is a function pointer */
ret = (int(*)())shellcode; /* ret points to our shellcode */
/* shellcode is type caste as a function */
(int)(*ret)(); /* execute, as a function, shellcode[] */
exit(0); /* exit() */
}
But, it won't work when i assemble and link it,why exactly?
When i debugged it with GDB the problem was EDI Register in this line, the EDI is pointing exactly to strings that exist in stack, i mean the bytes in ascii.
mov byte [edi + 7], al
This shellcode does work when assembled
Another shellcode that i found is this
Section .text
global _start
_start:
jmp GotoCall
shellcode:
xor eax, eax ;zero out eax
push eax ;push 00000000 on to the stack
push 'n/sh' ;push hex //bin/sh on to the stack
push '//bi'
;at this point the stack contains //bin/sh0x00000000
mov ebx, esp ;this satisfies the requirements for *filename (first argument
of execve)
push eax ;push 00000000 on to the stack
;at this point the stack contains 0x00000000//bin/sh0x00000000
mov edx, esp
push ebx ;ebx contains the memory address of the stack where
//bin/sh0x00000000 is.
mov ecx, esp ;this satisfies the requirements for argv (second argument of
execve)
mov al, 11 ;execve syscall number, 0xb works also.
int 0x80 ;initiate
GotoCall:
Call shellcode
it's funny, because this shellcode program exactly works with "Shellcode Test" program in C when i put the opcodes there and completely work alone too.
Please tell me why the first "shellcode" doesn't work alone and the second one does?
char shellcode[] defines a mutable static array.
db defines storage that is in the .text section of the program. On GNU/Linux, that is not writable; the program text is mapped into pages of virtual memory that are marked read-only.
A fix would be to stick the null byte into the db definition, rather than trying to put it in there at run-time.
I want to initialize a char array, but during I do this my programm crashes. Here's my code:
void kernelEnteredMsg() {
char str[] = "Kernel successfully entered!";
}
Here's the disassembly:
push ebp
mov ebp,esp
push edi
push esi
push ebx
sub esp,byte +0x30
lea edx,[ebp-0x2d]
mov ebx,0x402000 ; load an address outside my data segment
mov eax,0x1d
mov edi,edx
mov esi,ebx ; move this address to edi
mov ecx,eax
rep movsb ; here the programm crashes
add esp,byte +0x30
pop ebx
pop esi
pop edi
pop ebp
ret
I don't understand why it loads esi with 0x402000. But this seems to cause the error. Can somebody explain what happens here and how to fix it?
PS: "Kernel successful entered!" is at 0x1000 in binary file.
C code:
void kernelEnteredMsg();
void entryPoint() {
kernelEnteredMsg();
}
void kernelEnteredMsg() {
char str[] = "Kernel successfully entered!";
int size = 28;
}
Calling assembly code:
extern _entryPoint
global _main
section .text
_main: ; start of kernel
nop
; setup ds, es, ss and gs
mov ax, 16
mov ds, ax
mov es, ax
mov ss, ax
mov sp, 0x4000
mov ax, 24
mov gs, ax
mov [gs:0], dword 0x07690748 ; test graphics
call _entryPoint ; enter kernel C code
jmp $
This code does copy the string from the .text section to the local stack, because the char array is not 'const'. This may provide a simple solution if you do not need the string to be modified - just make it const char.
I don't understand why it loads esi with 0x402000.
ESI is the source of the string copy instruction 'rep movsb', EDI is the destination.
The address is constructed by IMAGE_BASE+SECTION (IIRC) in the PE file(assuming it is PE.)
Remember in the file there is a FILE_ALIGN and a SECTION_VIRTUAL_ADDRESS, so a section may be
at position 0x1000 in the file(FILE_ALIGN) and at 0x2000 in memory(VIRTUAL_ADDRESS) resulting in IMAGE_BASE+VIRTUAL_ADDRESS=0x402000.
You can use a PE explorer like CFF Explorer(http://www.ntcore.com/exsuite.php)
to display this(if it's a .bin file it may be unapplicable but it has to have some kind of format)
Another possibility may be a wrong state of the DF-Flag leading to wrong behaviour of the string copy instruction (should not happen, because the compiler should take care of this).
Try inserting
__asm__ ("cld");
before the char str[] or in the __main procedure to set string increment to 'UP'.
I need to get my char pointer and after that i print it on the screen to see if it works ok.
I read the text from a file and put in my char pointer (sizeof(char*) + filesize) + 1.. in the end i put the '\0'.
If i printf my char* its fine
Here is my asm code
; void processdata(char* filecontent);
section .text
global processdata
extern printf
section .data
FORMAT: db '%c', 10, 0 ; to break the line 10, 0
processdata:
push ebp
mov ebp, esp
mov ebx, [ebp]
push ebx
push FORMAT
call printf
add esp, 8
when i run it i just see trash in my variable.
As violet said:
; void processdata(char* filecontent);
section .text
[GLOBAL processdata] ;global processdata
extern printf
section .data
FORMAT: db '%c', 0
EQUAL: db "is equal", 10, 0
processdata:
lea esi, [esp]
mov ebx, FORMAT
oook:
mov eax, [esi]
push eax
push ebx
call printf
inc esi
cmp esi, 0x0
jnz oook
Thanks
quote demonofnight
But if i need to increment, can i do that?
Using your original function arg of char* and your %c format, something like this:
lea esi, [esp+4]
mov ebx, FORMAT
oook:
mov eax, [esi]
push eax
push ebx
call printf
inc esi
cmp [esi], 0x0
jnz oook
[edit: ok sry, i hacked that quickly into some shenzi winOS inline __asm block]
here's a complete thing done in linux and nasm:
; ----------------------------------------------------------------------------
; blah.asm
; ----------------------------------------------------------------------------
extern printf
SECTION .data ;local variables
fmt: db "next char:%c", 10, 0 ;printf format, "\n",'0'
SECTION .text ;hack in some codes XD
global foo
foo: ;foo entry
push ebp ;set up stack frame
mov ebp,esp
mov esi, [ebp+8] ;load the input char array to the source index
oook: ;loop while we have some chars
push dword [esi] ;push next char addy in string to stack
push dword fmt ;push stored format string to stack
call printf
add esp, 8 ;restore stack pointer
inc esi ;iterate to next char
cmp byte [esi], 0 ;test for null terminator byte
jnz oook
mov esp, ebp ;restore stack frame
pop ebp
mov eax,0 ;return 0
ret ;done
blah.c (that invokes the .asm foo) :
/*-----------------------------------------------
blah.c
invokes some asm foo
------------------------------------------------*/
#include <stdio.h>
void foo(char*);
int main() {
char sz[]={"oook\n"};
foo(sz);
return 0;
}
&here's the commandline stuff:
$ nasm -f elf blah.asm -o blah.o
$ gcc -o blah blah.c blah.o
$ ./blah
next char:o
next char:o
next char:o
next char:k
next char:
$
$ nasm -v
NASM version 2.09.08 compiled on Apr 30 2011
$ uname -a
Linux violet-313 3.0.0-17-generic #30-Ubuntu SMP Thu Mar 8 17:34:21 UTC 2012 i686 i686 i386 GNU/Linux
Hope it works for you ;)
On linux x86 the first function parameter is in ecx. The printf format for printing a pointer is "%p".
So something along
...
FORMAT: db '%p', 10, 0 ; to break the line 10, 0
processdata:
mov eax, [esp+4]
push eax
push format
call printf
add esp, 8
ret
should work, assuming the rest of your code is correct and your are using gcc's calling convention.
This is assuming that the pointer you want to print is on the stack.
The reason for the crash is probably that you push 12 bytes on the stack, but correct the stack pointer by only 8.