1

Currently I am studying system exploit, and find some interesting system exploit called buffer overflow using shellcode. I wrote shellcode terminating current process using exit(0) systemcall. Below, there is my code.

#include <stdio.h>

char shell[100] =
       "\xb0\x01"      // mov al, 1
       "\x31\xdb"      // xor ebx, ebx
       "\xcd\x80"    ; // int 0x80

int main() {
    ((void(*)())shell)();
    printf("this not should be printed\n");
    return 0;
}

After writing code above, I compiled with gcc using -m32 flag for compiling x86 architecture(My CPU Architecture is AMD x86_64), and using -fno-stack-protector, -z execstack to make .data, .rodata, and stack section executable. So the command for compiling is like this.

gcc -m32 -fno-stack-protector -z execstack -o shellcode shellcode.c.

And after that, I execute the test program (shellcode.c), but, result says there is segmentation fault (Even having compiled with memory protection!!). Here is the result:

zsh: segmentation fault ./shellcode

So, I double-checked shellcode binary using checksec, readelf. First readelf says .rodata, .data, .bss section is unexecutable. Like this.

Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x08048034 0x08048034 0x00160 0x00160 R   0x4
  INTERP         0x000194 0x08048194 0x08048194 0x00013 0x00013 R   0x1
      [Requesting program interpreter: /lib/ld-linux.so.2]
  LOAD           0x000000 0x08048000 0x08048000 0x002e8 0x002e8 R   0x1000
  LOAD           0x001000 0x08049000 0x08049000 0x0022c 0x0022c R E 0x1000
  LOAD           0x002000 0x0804a000 0x0804a000 0x00190 0x00190 R   0x1000
  LOAD           0x002f0c 0x0804bf0c 0x0804bf0c 0x00198 0x0019c RW  0x1000
  DYNAMIC        0x002f14 0x0804bf14 0x0804bf14 0x000e8 0x000e8 RW  0x4
  NOTE           0x0001a8 0x080481a8 0x080481a8 0x00044 0x00044 R   0x4
  GNU_EH_FRAME   0x002024 0x0804a024 0x0804a024 0x00044 0x00044 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x10
  GNU_RELRO      0x002f0c 0x0804bf0c 0x0804bf0c 0x000f4 0x000f4 R   0x1

As you can see above, stack became executable. But, not .data, .rodata, and .bss section. Below there is extra information about memory protection of shellcode (using checksec).

ELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   65) Symbols       No    0               0               ./shellcode

As you can see, there is no stack-canary, NX Bit set... But, shellcode program continues to segmentation fault.... What is Wrong with this...??/??

P.S I' am using kali linux 2021.02

U. Windl
  • 3,480
  • 26
  • 54
Woo
  • 15
  • 3
  • Your code is not on the stack; it's static. – U. Windl Aug 09 '21 at 07:45
  • Yeah, I know that. But, most of shellcode declare char array(for shellcode) on global scope.. And they say it is working perfect.. but, not in my case. Why some of people says it works perfect only using ```-z execstack``` and ``` -fno-stack-protector```, but not me... Visit this site http://shell-storm.org/shellcode/files/shellcode-226.php. Most of code in Shell Storm declares char array on .data, .bss section on global scope – Woo Aug 10 '21 at 03:59
  • Maybe start with a working example. IMHO `-z execstack` makes a difference once your code is on the stack, and `-fno-stack-protector` should be the default anyway. When doing some buffer overflow on the stack, the stack protector *might* interfere (meaning: it might be too late then). – U. Windl Aug 10 '21 at 06:44

1 Answers1

1

The title says "execstack not applied at .rodata, .data, or .bss sections".

That's correct: execstack is a linker flag that "Marks the object as requiring executable stack."

It does nothing about .data, .bss or .rodata.

When I run your program (on x86_64), I get:

(gdb) r
Starting program: /tmp/foo 
Missing separate debuginfos, use: zypper install glibc-debuginfo-2.31-7.30.x86_64

Program received signal SIGSEGV, Segmentation fault.
0x0000000000601040 in shell ()
(gdb) bt
#0  0x0000000000601040 in shell ()
#1  0x0000000000400517 in main () at foo.c:9
(gdb) disassemble /s 0x0000000000601040
Dump of assembler code for function shell:
=> 0x0000000000601040 <+0>: mov    $0x1,%al
   0x0000000000601042 <+2>: xor    %ebx,%ebx
   0x0000000000601044 <+4>: int    $0x80
   0x0000000000601046 <+6>: add    %al,(%rax)
   0x0000000000601048 <+8>: add    %al,(%rax)
...

However when I change the code to this:

include <stdio.h>
  
int main() {
        char shell[100] =
               "\xb0\x01"      // mov al, 1
               "\x31\xdb"      // xor ebx, ebx
               "\xcd\x80"    ; // int 0x80

    ((void(*)())shell)();
    printf("this not should be printed\n");
    return 0;
}

Execution without -z execstack also gets SIGSEGV, but with the option it just exits (with zero):

(gdb) r
Starting program: /tmp/foo 
Missing separate debuginfos, use: zypper install glibc-debuginfo-2.31-7.30.x86_64

Program received signal SIGSEGV, Segmentation fault.
0x00007fffffffdd50 in ?? ()
(gdb) bt
#0  0x00007fffffffdd50 in ?? ()
#1  0x000000000040054e in main () at foo.c:9
(gdb) disassemble /s 0x00007fffffffdd50
No function contains specified address.
### "make CFLAGS="-Wall -g -zexecstack"  foo"
Starting program: /tmp/foo 
Missing separate debuginfos, use: zypper install glibc-debuginfo-2.31-7.30.x86_64
[Inferior 1 (process 24663) exited normally]
(gdb) q
U. Windl
  • 3,480
  • 26
  • 54
  • Thanks for your answer...!!!! Well, but I still wonder why shellcodes on shell strom( http://shell-storm.org/shellcode/files/shellcode-226.php), declares char array(for shellcode) on global scope??, Even if it's not working. – Woo Aug 10 '21 at 09:26
  • Also, this is exact example on youtube that shellcode on global scope works without ```segmentation fault ``` (https://www.youtube.com/watch?v=eJWlg-VoCBg) (02:15~05:05). I mimic the example on the video, but, still the example results in ```segmentation fault``` – Woo Aug 10 '21 at 09:33
  • @Woo So maybe ask the author of the youtube video. Maybe it's just a fake (like https://www.youtube.com/watch?v=ULHpxb_34Dg (German)). – U. Windl Aug 10 '21 at 14:44