execve shellcode writing segmentation fault

Question

I am trying to study execve shellcode,

OS : Linux bt 2.6.39.4

root@bt:~/exploit# cat gshell.s

.globl _start

_start:

    nop
    jmp MyString

    shell:

            popl %esi
            xorl %eax,%eax

            movl %al,9(%esi)
            movl %esi,10(%esi)
            movl %eax,14(%esi)

            movb $11,%al
            movl %esi, %ebx
            leal 0xa(%esi),%ecx
            leal 0xe(%esi),%edx
            int $0x80



            movl $1,%eax
            movl $0,%ebx
            int $0x80


    MyString:
            call shell
            shellvar:
                    .ascii "/bin/bashADDDDCCCC"

root@bt:~/exploit# as -gstabs -o gshell.o gshell.s

root@bt:~/exploit# ld -o gshell gshell.o

root@bt:~/exploit# ./gshell Segmentation fault (core dumped) root@bt:~/exploit#

GDB:

(gdb) break *_start Breakpoint 1 at 0x8048054: file gshell.s, line 6.

(gdb) r Starting program: /root/exploit/gshell

Program received signal SIGSEGV, Segmentation fault. shell () at gshell.s:14 14 movb %al,9(%esi)

(gdb) print /x $esi $1 = 0x804807a (gdb) x/16cb $esi 0x804807a : 47 '/' 98 'b' 105 'i' 110 'n' 47 '/' 98 'b' 97 'a' 115 's' 0x8048082 : 104 'h' 65 'A' 68 'D' 68 'D' 68 'D' 68 'D' 67 'C' 67 'C' (gdb)

from above output it seems I have successfully pope'd /bin/sh address into ESI register But when I try to move 0 into 9(%esi) --> It causes segmentation fault. Even tried to modify this program : movl $0 to $esi. Want to know if it is restricted to write at 0x804807a address? which causing this fault? and how i can proceed with successfully running this shellcode

Thanks, littlejack

Answer 1

As Bo said in his comment, the .text section is read-only by default on current systems. To make this code work, you have to make it writable. You can for example use a directive in the source file like so:

.section wtext, "awx", @progbits

The equivalent nasm directive is:

section wtext exec write

Alternatively, could also pass the -N switch to the linker.

Note that such shell code is normally intended for stack execution, which is yet another thing that's typically disabled in current operating systems. If you ever want to try this on the stack, you might need the -z execstack linker option.