am using ubuntu 14.04, 64bit. i am studying shellcode writing. So to spawn a shell i wrote the following program
segment .text
global _start:
_start:
jmp short GotoCall
shellcode:
pop esi
xor eax, eax
mov byte [esi + 7], al #here i get Error
lea ebx, [esi]
mov long [esi + 8], ebx
mov long [esi + 12], eax
mov byte al, 0x0b
mov ebx, esi
lea ecx, [esi + 8]
lea edx, [esi + 12]
int 80h
GotoCall:
call shellcode
Db '/bin/shJAAAABBBB'
Compiled -> nasm -ggdb -f elf Shellcode_Execve.asm
Linked -> ld -m elf_i386 -ggdb -o Shellcode_Execve Shellcode_Execve.o
When i ran it in GDB, i found in below instruction i get error,
mov byte [esi + 7], al
i found that, this is because of DEP(DATA EXECUTION PREVENTION). So i tried "-fno-stack-protector -z execstack" to compile and link like below,
$ nasm -ggdb -f elf32 -z execstack Shellcode_Execve.asm
nasm: error: unrecognised option `-z'
nasm: error: more than one input file specified
type `nasm -h' for help
$ nasm -ggdb -f elf32 -z execstack -o shell Shellcode_Execve.asm
nasm: error: unrecognised option `-z'
nasm: error: more than one input file specified
type `nasm -h' for help
$ nasm -ggdb -z execstack -f elf32 -o shell Shellcode_Execve.asm
nasm: error: unrecognised option `-z'
nasm: error: more than one input file specified
type `nasm -h' for help
$ nasm -ggdb -fno-stack-protector -z execstack -z execstack -f elf32 -o shell Shellcode_Execve.asm
nasm: fatal: unrecognised output format `no-stack-protector' - use -hf for a list
type `nasm -h' for help
$ nasm -ggdb -f elf32 Shellcode_Execve.asm
$ gcc -ggdb -m32 -fno-stack-protector -z execstack -o Shellcode_Execve Shellcode_Execve.o
Shellcode_Execve.o:Shellcode_Execve.asm:5: multiple definition of `_start'
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib32/crt1.o:(.text+0x0): first defined here
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib32/crt1.o: In function `_start':
(.text+0x18): undefined reference to `main'
collect2: error: ld returned 1 exit status
$ nasm -ggdb -f elf32 Shellcode_Execve.asm
$ gcc -ggdb -m32 -fno-stack-protector -z execstack -o Shellcode_Execve Shellcode_Execve.o
$ ./Shellcode_Execve
Segmentation fault (core dumped)
$ nasm -ggdb -f elf32 Shellcode_Execve.asm
$ ld -m elf_i386 -ggdb -z execstack -o Shellcode_Execve Shellcode_Execve.o
$ ./Shellcode_Execve
Segmentation fault (core dumped)
like above i tried all the ways to disable DEP using GCC and ld. But nothing works. So how can i disable DEP? and make my Code working? (please make sure the problem is of DEP)
i have changed my NASM code a little bit now it looks like below,
section .mytext progbits alloc exec write align=16 ; CHANGED HERE
global _start:
_start:
jmp short GotoCall
shellcode:
pop esi
xor eax, eax
mov byte [esi + 7], al
lea ebx, [esi]
mov long [esi + 8], ebx
mov long [esi + 12], eax
mov byte al, 0x0b
mov ebx, esi
lea ecx, [esi + 8]
lea edx, [esi + 12]
int 80h
GotoCall:
call shellcode
Db '/bin/shJAAAABBBB'
The .text section is not writable by default. Just changed the first line to
"section .mytext progbits alloc exec write align=16 "
for details about progbits alloc exec write,please click here.
And the linker has some default override so it ignores writable .text even if you ask for it. But it doesn't care if it has a different name.
now compile and link it,
nasm -f elf32 Shellcode_Execve.asm
ld -m elf_i386 -o Shellcode_Execve Shellcode_Execve.o
Now it WORKSSSS:)