I was trying to overwrite the return address of main() with the address of the shellcode that I wrote in assembly.
My assembly program :
ExitShell.asm
SECTION .text
global _start
_start:
jmp short shellOffset
Shellcode:
pop esi
lea ecx, [esi]
mov dl, 12
mov bl, 1
mov al, 4
int 0x80
mov bl, 20
mov al, 1
int 0x80
shellOffset:
call Shellcode
msg db "Hello World",0xa
My .c file in which I am overwriting the return address :
ShellCode.c
#include<stdio.h>
char shellcode[] = "\xeb\x11\x5e\x8d\x0e\xb2\x0c\xb3\x01\xb0\x04\xcd\x80"\
"\xb3\x14\xb0\x01\xcd\x80\xe8\xea\xff\xff\xff"\
"\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x0a";
void main()
{
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
I compiled the program with the following command :
gcc -O0 -o sh ShellCode.c -fno-stack-protector -zexec -fno-asynchronous-unwind-tables -g
When I executed the program, I received the segmentation fault error. Loading the program into gdb, I found that it was giving the error at ret statement in assembly
Dump of assembler code for function main:
0x080483b4 <+0>: push %ebp
0x080483b5 <+1>: mov %esp,%ebp
0x080483b7 <+3>: sub $0x10,%esp
0x080483ba <+6>: lea -0x4(%ebp),%eax
0x080483bd <+9>: add $0x8,%eax
0x080483c0 <+12>: mov %eax,-0x4(%ebp)
0x080483c3 <+15>: mov -0x4(%ebp),%eax
0x080483c6 <+18>: mov $0x804a040,%edx
0x080483cb <+23>: mov %edx,(%eax)
0x080483cd <+25>: leave
=> 0x080483ce <+26>: ret
What is the issue? I am new to this.
This can have many reasons. You disabled the stack smashing detector, but that doesn't mean, that ret in main is going to be allocated right after the return address. The compiler and linker have some leeway in aligning the variables' addresses to improve performance or to satisfy CPU alignment requirements.
Another issue is, that shellcode will be placed in the .data segment, which may be set nonexecutable, so main returning to shellcode would trigger that trap.