RobertGG's questions

Estou aprendendo sobre desenvolvimento de shellcode em C com um exemplo daqui . Posso compilar o código assembly e obter os opcodes, também posso executar com sucesso o ELF compilado com NASM, mas recebo uma falha de segmentação quando executo o aplicativo de teste C com o shellcode incorporado. Tenho o Ubuntu 20.04 64 bits.

Este é o código assembly, posso executar ./shellcodee obter um shell sem erros.

; https://mcsi-library.readthedocs.io/articles/2022/06/linux-exploitation-x64-shellcode/linux-exploitation-x64-shellcode.html
; shellcode.asm
; nasm -f elf64 -o shellcode.o shellcode.asm
; ld -m elf_x86_64 -s -o shellcode shellcode.o

section .text
global _start                 ; we inform the system where the program begins

_start:
  xor rdx, rdx                ; zero out rdx
  push rdx                    ; push it onto the stack
  mov rax, 0x68732f2f6e69622f ; we can push 'hs//nib/' as one value, after all it is 64-bit
  push rax                    ; we push it onto the stack, so it lands at some address on the stack
  mov rdi, rsp                ; that address is where esp points to, so we store it in rdi => pointer to '/bin/sh'
  push rdx                    ; we push 0, as it will be the null termination of the array
  push rdi                    ; the address of '/bin/sh' is pushed onto the stack, it lands under another stack address
  mov rsi, rsp                ; we store that address into rsi. So rsi contains a pointer to a pointer to '/bin/sh'
  xor rax, rax                ; zero out eax to keep it clean
  mov al, 0x3b                ; 59 DEC, we move it to the lowest eax part to avoid nulls.
  syscall                     ; all arguments are set up, syscall time

Eu obtenho os opcodes usando este script e obtenho os mesmos opcodes da postagem original.

#!/bin/bash
# extract elf opcodes

if [ -z "$1" ]
then
    echo "Usage: $0 <path to executable>"
    exit
fi

objdump -d $1|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

E este é o tester.c com o shellcode incorporado, que inicia a falha de segmentação.

// tester.c
// shellcode tester program
// gcc -m64 -z execstack -fno-stack-protector -o tester tester.c
// https://mcsi-library.readthedocs.io/articles/2022/06/linux-exploitation-x64-shellcode/linux-exploitation-x64-shellcode.html

#include <stdio.h>
#include <string.h>

unsigned char code[] = "\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e\x2f\x73\x68\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x48\x31\xc0\xb0\x3b\x0f\x05";

int main() {
    printf("shellcode length: %d\n", strlen(code));
    int (*ret)() = (int(*)())code;
    ret();
}

Testei com -no-pie , -fno-pie , executando com setarch `uname -m` -R ./testerpara desabilitar a randomização do layout de memória e nada.