I'm learning the basics of computer security and I'm trying to execute some shellcode I've written. I followed the steps given here
http://dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf
http://webcache.googleusercontent.com/search?q=cache:O3uJcNhsksAJ:dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf+own+shellcode&cd=1&hl=nl&ct=clnk&gl=nl
$ cat pause.s
xor %eax,%eax
mov $29,%al
int $0x80
$ as -o pause.o pause.s
$ ld -o pause pause.o
ld: warning: cannot find entry symbol _start; defaulting to <<some address here>>
$ ./pause
^C
$ objdump -d ./pause
pause: file format elf64-x86_64
Disassembly of section .text:
08048054 <.text>:
8048054: 31 c0 xor %eax,%eax
8048056: b0 1d mov $0x1d,%al
8048058: cd 80 int $0x8
$
Since I got my pause program to work, I just copied the objdump output to a c file.
test.c:
int main()
{
char s[] = "\x31\xc0\xb0\x1d\xcd\x80";
(*(void(*)())s)();
}
But this produces a segfault. Now, this can only be due to security measures of Arch Linux (?). So how can I get this to work?
The page s lives in isn't mapped with execute permissions. Since you're on x86_64 you definitely have NX support in hardware. By default these days code and data live in very separate pages, with data not having the execute permission.
You can work around this with either mmap() or mprotect() to allocate or alter pages to have the PROT_EXEC permission.
You can also use a #define to define your shellcode. This way the pre-processor will insert the code directly into main
#define SHELLCODE "\x31\xc0\xb0\x1d\xcd\x80"
int main()
{
(*(void(*)())SHELLCODE)();
}
The older style of writing shellcode doesn't work on newer systems because of security measures. You will also probably have to compile with stack protection turned off:
gcc -z execstack -fno-stack-protector shellcode.c -o shellcode
Here is a fully working example that uses exit system call that I've tested on 3.2.0.3 kernel x86_64:
#include<stdio.h>
#define SHELLCODE "\x48\xc7\xc0\x3c\x00\x00\x00\x48\xc7\xc7\xe7\x03\x00\x00\x0f\05"
main()
{
int (*function)();
// cast shellcode as a function
function = (int(*)())SHELLCODE;
// execute shellcode function
(int)(*function)();
return 0;
}
The shellcode is using 64 bit registers, so it won't work on 32bit machine. To verify that the code works, you can test it with strace:
strace shellcode
execve("./shellcode", ["shellcode"], [/* 38 vars */]) = 0
....
munmap(0x7ffff7fd5000, 144436) = 0
_exit(999) <---- we passed 999 to exit, our shellcode works!
来源:https://stackoverflow.com/questions/7431986/linuxs-security-measures-against-executing-shellcode