1

I am trying to use write system call shellcode in assembly but when i run it i am getting a segmentation fault. I did debug it and its because of the call instruction which is having a random address in instruction.

jamesbond008@jamesbond008-VirtualBox:~/Desktop/buffer-overflow-exploit-detect-prevent$ gdb -q ./test_write
Reading symbols from ./test_write...(no debugging symbols found)...done.
(gdb) run
Starting program: /home/jamesbond008/Desktop/buffer-overflow-exploit-detect-prevent/test_write 

Program received signal SIGSEGV, Segmentation fault.
0x6d4ca060 in ?? ()
(gdb) disass main
Dump of assembler code for function main:
   0x080483db <+0>: lea    ecx,[esp+0x4]
   0x080483df <+4>: and    esp,0xfffffff0
   0x080483e2 <+7>: push   DWORD PTR [ecx-0x4]
   0x080483e5 <+10>:    push   ebp
   0x080483e6 <+11>:    mov    ebp,esp
   0x080483e8 <+13>:    push   ecx
   0x080483e9 <+14>:    sub    esp,0x14
   0x080483ec <+17>:    mov    DWORD PTR [ebp-0xc],0x804a040
   0x080483f3 <+24>:    mov    eax,DWORD PTR [ebp-0xc]
   0x080483f6 <+27>:    call   eax
   0x080483f8 <+29>:    mov    eax,0x0
   0x080483fd <+34>:    add    esp,0x14
   0x08048400 <+37>:    pop    ecx
   0x08048401 <+38>:    pop    ebp
   0x08048402 <+39>:    lea    esp,[ecx-0x4]
   0x08048405 <+42>:    ret    
End of assembler dump.
(gdb) x/25i $eax
   0x8040000:   Cannot access memory at address 0x8040000
(gdb) x/25i 0x804a040
   0x804a040 <shellcode>:   xor    ax,ax
   0x804a043 <shellcode+3>: xor    bx,bx
   0x804a046 <shellcode+6>: xor    cx,cx
   0x804a049 <shellcode+9>: xor    dx,dx
   0x804a04c <shellcode+12>:    jmp    0x804a04e <shellcode+14>
   0x804a04e <shellcode+14>:    call   0x6d4ca060     #random address  should be 0x804a060
   0x804a053 <shellcode+19>:    ins    BYTE PTR es:[edi],dx
   0x804a054 <shellcode+20>:    ins    BYTE PTR es:[edi],dx
   0x804a055 <shellcode+21>:    outs   dx,DWORD PTR ds:[esi]
   0x804a056 <shellcode+22>:    sub    al,0x20
   0x804a058 <shellcode+24>:    ja     0x804a0c9
   0x804a05a <shellcode+26>:    jb     0x804a0c8
   0x804a05c <shellcode+28>:    and    DWORD PTR fs:[esi+0x59],esp
   0x804a060 <shellcode+32>:    mov    bl,0x1
   0x804a062 <shellcode+34>:    mov    dl,0xd
   0x804a064 <shellcode+36>:    mov    al,0x4
   0x804a066 <shellcode+38>:    int    0x80
   0x804a068 <shellcode+40>:    dec    bl
   0x804a06a <shellcode+42>:    mov    al,0x1
   0x804a06c <shellcode+44>:    int    0x80
   0x804a06e <shellcode+46>:    add    BYTE PTR [eax],al

How can i get the right address in call?

0xC0000022L
  • 10,908
  • 9
  • 41
  • 79
prakash
  • 19
  • 1
  • 4
    How are you assembling/encoding the instructions for your shellcode? Nearly every CALL would use a relative 32 bit operand, which means CALL 0x804a060 should be something like \xE8\x0D\x00\x00\x00 (from address 0x804a04e) – Abigail Sep 07 '18 at 08:36
  • 1
    The instructions at 0x804a04e onwards look like ASCII characters. Perhaps the command-line got stored there? – peter ferrie Sep 07 '18 at 18:57
  • @Abigail It's a standard relative call. X86 doesn't have an absolute near call that takes an immediate address. You can either have an indirect absolute near call where we'd see it getting its destination from register/memory or an immediate absolute far call where we'd see a segment selector in the disassembly (also it would be 7 bytes long, not 5). – user2347953 Sep 11 '18 at 20:24
  • @user2347953 which is why it's a problem if they are manually assembling an 0xE8 jump with an absolute operand, making it resolve something like 0x6d4ca060 if we know more about how the shellcode was assembled we can help more easily. but as @peterferrie pointed out, the jump may likely have been assembled correctly but the last two bytes of it have been overwritten by something. – Abigail Sep 12 '18 at 00:45
  • @Abigail Oh, OK. I thought you were unsure about which kind of jump this was. Anyway, Peter is right, there indeed is a bunch of ASCII in the middle of the shellcode (specifically "Hello, world!" from 0x804a051 to 0x804a05e), so it does seem to be a case of memory corruption. – user2347953 Sep 12 '18 at 18:21

0 Answers0