Closed system shellcode experimentation (segfault)

Question

I am taking an online software security course. I am attempting to experiment with shellcode. I have written a vulnerable server, an injection program, a (probably broken) shellcode I convert to assembly, that I then strip with a python script. I then compile and run everything with a shell script. I am including all of my files, even though I am pretty sure I am not making the shellcode binary properly.

vulnerable.c

#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>


int main(void) {
    int sd, sdc, addrsize, ret, i;
    struct sockaddr_in addr;
    char exec[1024], buf[128];
    void (*fn)(void);
    const short family = AF_INET;

    fn = (void (*)(void))exec;
    addrsize = sizeof(struct sockaddr_in);
    sd = socket(family, SOCK_STREAM, IPPROTO_TCP);
    if (sd < 0) {
        perror("socket");
        return 1;
    }
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = INADDR_ANY;
    addr.sin_port = htons(8000);
    if (bind(sd, (struct sockaddr *) &addr, 
            sizeof(addr)) < 0) {
        perror("bind");
        return 2;
    }
    listen(sd, 1);
    sdc = accept(sd, (struct sockaddr *)&addr, &addrsize);
    i = 0;
    do {
        i += ret = read(sdc, buf, 128);
        memcpy(exec + i, buf, ret);
    } while (ret > 0);
    close(sd);
    fn();
    return 0;
}

inject.c

#include <sys/socket.h>
#include <string.h>
#include <netinet/in.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>

int main(void) {
    int sd, fd, ret, buflen = 128;
    struct sockaddr_in addr;
    FILE *f;
    const char fname[] = "shellcode";
    char buf[buflen];
    const short family = AF_INET;
    const char host[] = "127.0.0.1";

    f = fopen(fname, "r");
    fd = fileno(f);

    sd = socket(family, SOCK_STREAM, IPPROTO_TCP);
    if (sd < 0) {
        perror("socket");
        return 1;
    }
    memset(&addr, 0, sizeof(struct sockaddr_in));
    addr.sin_family = family;
    addr.sin_port = htons(8000);
    inet_pton(family, host, &(addr.sin_addr.s_addr));
    ret = connect(sd, (struct sockaddr*)&addr, sizeof(struct sockaddr));
    if (ret < 0) {
        perror("connect");
        return 2;
    }
    do {
        ret = read(fd, buf, buflen);
        if (write(sd, buf, ret) != ret)
            perror("write");
    } while (ret > 0);
    close(fd);
    close(sd);
    return 0;
}

shellcode.c

void shellcode(void) {
    char sz[6] = { 'h', 'e', 'l', 'l', 'o', '\0' };
    write(1, sz, 6);
}

stripshellcode.py

copy = False
outf = open("shellcode-stripped.s", "w")
for line in open("shellcode.s").read().split("\n"):
    if copy:
        outf.write(line + "\n")
    if "shellcode:" in line:
        copy = True
    elif "ret" in line and copy:
        copy = False
outf.close()

make.sh

gcc -S shellcode.c && \
python stripshellcode.py && \
gcc -c shellcode-stripped.s -o shellcode && \
gcc inject.c -o inject && \
gcc vulnerable.c -o vulnerable && \
./vulnerable & ./inject

output

$ sh make.sh
make.sh: line 6: 13905 Segmentation fault      ./vulnerable

Where am I going wrong in this experimental process?

EDIT:

I should note by "closed system" I mean this is being executed in a virtual machine (check the bind address), and also it means some of the variables are hard-coded in a dependent way for brevity and ease.

OT. Do you mind sharing the course details? – Eugene Sh. Jun 12 '15 at 20:57 — Eugene Sh., Jun 12 '15 at 20:57
@EugeneSh. https://www.coursera.org/course/softwaresec – motoku Jun 12 '15 at 20:59 — motoku, Jun 12 '15 at 20:59
Thank you. It might be interesting.. – Eugene Sh. Jun 12 '15 at 21:00 — Eugene Sh., Jun 12 '15 at 21:00
It's not part of an assignment. – motoku Jun 12 '15 at 21:00 — motoku, Jun 12 '15 at 21:00

Nick Zavaritsky · Accepted Answer · 2015-06-12T22:31:59.530

This doesn't work because shellcode file is an object file. It is an intermediate file format meant for linker consumption. Treating it as a sequence of instructions is plain wrong. Object file contains code, among other things. However this code is incomplete. When a code references a symbol, like write, a placeholder is inserted instead of the address. It is the job of a linker to stitch several object files plus libraries together, to lay out code in memory effectively assigning addresses to symbols and finally patching placeholders.

Even if an executable file was produced it still wouldn't work because the modern executable formats require a loader to run. Basically a loader reads metadata stored in executable, maps several sections from the file into memory, adjusts things and finally transfers control to an entry point defined by metadata.

I think there are several working approaches to make a shellcode.

Encode the assembly sequence manually.
Use a tool to do the encoding for you.
Research object file format and extract the code, I assume objdump can do it for you.
Ask a linker to produce executable file in a format that doesn't require a loader to run.

Reading other answers I realized that the failure actually happens earlier - exec buffer is allocated on stack and stack memory protection attributes explicitly denies execution. This protection could be turned off with say execstack utility on Linux.

score 0 · Answer 2 · answered Jun 12 '15 at 22:02

As far as I understood you are trying to use a buffer overflow to inject a shell script. Compilers add protections around the buffer in order to prevent what you are trying to do. You should disable them when compiling the vulnerable application.

I did a similar experiment and I use this options:

badbuf: vulnerable.c
    $(CC) -g -Wall -fno-stack-protector -o badbuf  vulnerable.c

Closed system shellcode experimentation (segfault)

2 Answers2