Category Archives: assembly

Segfault when running hello world shellcode in C program

Posted on by

sorry if this question sounds dumb but I am very new to shellcoding and I was trying to get a hello world example to work on a 32 bit linux machine.

As this is shellcoding, I used a few tricks to remove null bytes and shorten the code. Here it is:

section .data

section .text
global _start
_start:

;Instead of xor eax,eax
;mov al,0x4
push byte 0x4
pop eax
;xor ebx,ebx
push byte 0x1
pop ebx
;xor ecx,ecx
cdq ; instead of xor edx,edx

;mov al, 0x4
;mov bl, 0x1
mov dl, 0x8
push 0x65726568
push 0x74206948
;mov ecx, esp
push esp
pop ecx
int 0x80

mov al, 0x1
xor ebx,ebx
int 0x80

This code works fine when I compile and link it with the following commands:

$ nasm -f elf print4.asm
$ ld -o print4 -m elf_i386 print4.o

However, I tried running it within the following C code:
$ cat shellcodetest.c
#include
#include 

char *shellcode = "\x04\x6a\x58\x66\x01\x6a\x5b\x66\x99\x66\x08\xb2\x68\x68\x68\x65\x69\x48\x54\x66\x59\x66\x80\xcd\x01\xb0\x31\x66\xcd\xdb\x80";

int main(void) {
    ( *( void(*)() ) shellcode)();
}
$ gcc shellcodetest.c –m32 –z execstack -o shellcodetest
$ ./shellcodetest
Segmentation fault (core dumped)

Could someone please explain what is happening there? I tried running the code in gdb and noticed something weird happening with esp. But as I said before, I still lack experience to really understand what is going on here.

Thanks in advance!

Continue reading Segfault when running hello world shellcode in C program

Segfault when running hello world shellcode in C program

Posted on by

sorry if this question sounds dumb but I am very new to shellcoding and I was trying to get a hello world example to work on a 32 bit linux machine.

As this is shellcoding, I used a few tricks to remove null bytes and shorten the code. Here it is:

section .data

section .text
global _start
_start:

;Instead of xor eax,eax
;mov al,0x4
push byte 0x4
pop eax
;xor ebx,ebx
push byte 0x1
pop ebx
;xor ecx,ecx
cdq ; instead of xor edx,edx

;mov al, 0x4
;mov bl, 0x1
mov dl, 0x8
push 0x65726568
push 0x74206948
;mov ecx, esp
push esp
pop ecx
int 0x80

mov al, 0x1
xor ebx,ebx
int 0x80

This code works fine when I compile and link it with the following commands:

$ nasm -f elf print4.asm
$ ld -o print4 -m elf_i386 print4.o

However, I tried running it within the following C code:
$ cat shellcodetest.c
#include
#include 

char *shellcode = "\x04\x6a\x58\x66\x01\x6a\x5b\x66\x99\x66\x08\xb2\x68\x68\x68\x65\x69\x48\x54\x66\x59\x66\x80\xcd\x01\xb0\x31\x66\xcd\xdb\x80";

int main(void) {
    ( *( void(*)() ) shellcode)();
}
$ gcc shellcodetest.c –m32 –z execstack -o shellcodetest
$ ./shellcodetest
Segmentation fault (core dumped)

Could someone please explain what is happening there? I tried running the code in gdb and noticed something weird happening with esp. But as I said before, I still lack experience to really understand what is going on here.

Thanks in advance!

Continue reading Segfault when running hello world shellcode in C program

Segmentation fault error when calling user defined function in shellcode

Posted on by

I am getting the segmentation fault error when I called function “target” in my shellcode.

Here’s the C code of program:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>

#define AMOUNT_OF_STUFF 50

void target(){
    //Magic Happens Here   
}


void function_x(){
    char * stuff = (char *)mmap(NULL, AMOUNT_OF_STUFF, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
    if(stuff == MAP_FAILED){
        exit(0);
    }
    printf("You can type %d bytes:\n", AMOUNT_OF_STUFF);
    fflush(stdout);
    int len = read(STDIN_FILENO, stuff, AMOUNT_OF_STUFF);
    if(len == 0){
        exit(0);
    }
    void (*func)() = (void (*)())stuff;
    func();      
}

int main(){
    function_x();
    return 0;
}

I obtained opcode of “CALL TARGET_FUNCTION_ADDRESS” instruction which is “0xfffef5e8” and saved it in a file as:
echo -e “\xe8\xf5\xfe\xff” > shellcode

Then I passed my shellcode as input to the program as:

    (gdb) r < shellcode
    The program being debugged has been started already.
    Start it from the beginning? (y or n) y
    Starting program: /home/rakesh/a.out < shellcode
    You can type 50 bytes:

    Breakpoint 1, 0x08048615 in function_x ()
    (gdb) si
    0xb7fd5000 in ?? ()

    (gdb) x/10w $eip
    0xb7fd5000: 0xfffef5e8  0x0000000a  0x00000000  0x00000000
    0xb7fd5010: 0x00000000  0x00000000  0x00000000  0x00000000
    0xb7fd5020: 0x00000000  0x00000000

    (gdb) si
    0xc2fd4efa in ?? ()

    (gdb) si

    Program received signal SIGSEGV, Segmentation fault.
    0xc2fd4efa in ?? ()
    (gdb) 
    [46]+  Stopped                 gdb ./a.out

I can see that EIP is pointing to my given shellcode but still it’s not working as expected.

Can anyone tell me why my shellcode is not working??

Continue reading Segmentation fault error when calling user defined function in shellcode