I am following the classic paper Smashing The Stack For Fun And Profit along side "Smashing the Stack in 2011". Despite all the Q/As about these papers I cannot find an answer to my problem.
I am trying to run a simple exit(0) command but with a call and jmp similar to shellcodeasm.c in "Smashing The Stack For Fun And Profit" so I can follow the paper to the end (I managed to get this to work when I removed the call and jmp). Clearly my following shellcodeasm.c doesn't open a shell but I am keeping to the names in "Smashing The Stack For Fun And Profit" so my process is easier to follow.
shellcodeasm.c
void main() {
__asm__("jmp 0xd \n \
popl %esi \n \
movl $0x1,%eax \n \
movl $0x0, %ebx \n \
int $0x80 \n \
call -0x12 \n \
.string \"/bin/sh\" ");
}
Running gcc -o shellcodeasm -g -ggdb shellcodeasm.c and using gdb to get the hex from main+3 to the end of main (as in the paper) I can generate my testsc.c
testsc.c
char shellcode[] =
"\xe9\x29\x7c\xfb\xf7\x5e\xb8\x01\x00\x00\x00\xbb\x00"
"\x00\x00\x00\xcd\x80\xe8\xf8\x7b\xfb\xf7\x2f\x62\x69"
"\x6e\x2f\x73\x68\x00\x5d\xc3";
void main() {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
I can then compile and run it using the techniques in "Smashing the Stack in 2011"
gcc -o testsc testsc.c -fno-stack-protector
execstack -s testsc
./testsc
But unfortunately I get a segmentation fault (as there are no buffer overflows here I guess -fno-stack-protector is not necessary but it doesn't work when I remove it either).
Does anyone know what I am not understanding/missing?
The output of uname -a is Linux core 3.2.0-4-686-pae #1 SMP Debian 3.2.73-2+deb7u3 i686 GNU/Linux and the output of gcc -v is gcc version 4.7.2 (Debian 4.7.2-5). I hope I have given all the relevant info.
