I am learning to construct my own shellcodes following examples from the Gray Hat Hacking textbook. They have given examples to execute shellcodes on 32-bit Linux systems but when I assembled them in my system with the appropriate flags (maybe I could be wrong on this part) I am not getting the expected results.
The name of my shellcode executable is sc2.
section .text
global _start
_start:
xor eax, eax
mov al, 0x46
xor ebx, ebx
xor ecx, ecx
int 0x80
xor eax, eax
push eax
push 0x68732f2f
push 0x6e692f2f
mov ebx, esp
push eax
push ebx
mov ecx, esp
xor edx, edx
mov al, 0xb
int 0x80
# nasm -f elf sc2.asm -o sc2.o
# ld -m elf_i386 sc2.o -o sc2
# ./sc2
segmentation fault
# objdump -M intel -d ./sc2
./sc2: file format elf32-i386
Disassembly of section .text:
08049000 <_start>:
8049000: 31 c0 xor eax,eax
8049002: b0 46 mov al,0x46
8049004: 31 db xor ebx,ebx
8049006: 31 c9 xor ecx,ecx
8049008: cd 80 int 0x80
804900a: 31 c0 xor eax,eax
804900c: 50 push eax
804900d: 68 2f 2f 73 68 push 0x68732f2f
8049012: 68 2f 2f 69 6e push 0x6e692f2f
8049017: 89 e3 mov ebx,esp
8049019: 50 push eax
804901a: 53 push ebx
804901b: 89 e1 mov ecx,esp
804901d: 31 d2 xor edx,edx
804901f: b0 0b mov al,0xb
8049021: cd 80 int 0x80
# gdb -q ./sc2
Reading symbols from ./sc2...
(No debugging symbols found in ./sc2)
(gdb) r
Starting program: sc2
Program received signal SIGSEGV, Segmentation fault.
0x08049023 in ?? ()
From what I can gather, I believe the code got executed, but gives a segfault without giving a shell. What am I missing?
(My system details: Mine is a 64-bit Kali Linux)
You have a typo in your push immediate instructions, and the command you are actually trying to execute is //in//sh. As no such file exists, the execve system call fails, which means that it returns. So your program continues executing past the last int 0x80, after which there is only garbage that crashes your program when executed as instructions.