Stack Overflow
Stack Overflow

Questions tagged [shellcode]

A shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability.

Shellcodes get that name because they typically start a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient.

Shellcode can either be local or remote, depending on whether it gives an attacker control over the machine it runs on (local) or over another machine through a network (remote).

681 questions
10
votes
4 answers

Difference between - buffer overflow and return to libc attack

I want to comprehend the exact difference between these two types of attack. From what I have read: Buffer Overflow: It overwrites the ret address on the stack to point to another section of the code where the malicious code is inserted. So…
Hari
  • 5,057
  • 9
  • 41
  • 51
10
votes
5 answers

Perl's Pack('V') function in Python?

I've been working on some exploit development recently to get ready for a training course, and I've run into a problem with a tutorial. I've been following along with all the tutorials I can find, using Python as opposed to the language the…
Schinza
  • 101
  • 1
  • 4
9
votes
5 answers

Why I do get "Cannot find bound of current function" when I overwrite the ret address of a vulnerable program?

I want to exploit a stack based buffer overflow for education purposes. There is a typical function called with a parameter from main, which is given as input from the program a local buffer where the parameter is saved. Given an input such that…
curious
  • 1,524
  • 6
  • 21
  • 45
9
votes
1 answer

Why return-to-libc shell using system() exits immediately?

I'm experimenting control-flow hijacking attacks on programs written in C on Linux. I'm trying to perform a simple ret-2-libc attack on a program with the No-eXecutable-stack countermeasure enabled. For this purpose I'm returning to system()…
Seyed Mohammad
  • 798
  • 10
  • 29
9
votes
4 answers

Why am I getting a segmentation fault? (Testing Shellcode)

I wrote a simple ASM file and ran it in a C file I'd written. I got a segentation fault. However, when I execute the compiled ASM file, I get no error. I am running 64 bit and using 32 bit shellcode. Is that the issue? It can't be, because I'm…
Goodies
  • 4,439
  • 3
  • 31
  • 57
9
votes
2 answers

Simple buffer overflow and shellcode example

I've been trying to run Aleph One's example in order to get a BOF and open a shell. This is Aleph One paper: http://insecure.org/stf/smashstack.html And this is the simple C code (located nearly at the half of the paper): char shellcode[]…
Jjang
  • 11,250
  • 11
  • 51
  • 87
9
votes
2 answers

writing shellcode: why my shellcode won't work?

I'm currently writing a shellcode that exploit a target program that uses the puts function. The program looks like this: #include main() { char buf[123]; puts(gets(buf)); } What I want to do is overflow this buffer and invoke…
Gnijuohz
  • 3,294
  • 6
  • 32
  • 47
8
votes
1 answer

buffer overflow example from Art of Exploitation book

I was reading this book Art of Exploitation, which is kinda good book and I run across that example from exploit_notesearch.c file. Briefly author tries to overflow program from notesearch.c int main(int argc, char *argv[]) { int userid,…
Rustam Issabekov
  • 3,279
  • 6
  • 24
  • 31
8
votes
1 answer

What is proper way to call execve with arguments in assembly?

I am trying to execute the following with execve: /bin//nc -lnke /bin/bash -p 4444 When reading the man page for execve, I see the following requirements: int execve(const char *filename, char *const argv[], char *const…
user1529891
8
votes
1 answer

Executing shellcode in shared memory with mmap

I'm trying to place and execute program-code into a shared-memory region. Initializing and allocating the shared memory as well as copying the shellcode into the "new" memory works as intended, but as soon as I try to execute it, it doesn't work.…
Marvin
  • 133
  • 1
  • 9
8
votes
4 answers

Using buffer overflow to execute shell code

I've been learning computer security lately and come across a couple problems, and i'm having some trouble with this one in particular. I'm given a function with a fixed buffer I need to overflow in order to execute shellcode in the file shellcode.…
Syntactic Fructose
  • 18,936
  • 23
  • 91
  • 177
8
votes
2 answers

The Art of Compiler on Buffer Overflow

The modern compiler GCC is so powerful that it can even prevent buffer overflow in compilation phase so that OS can not run code on stack space. For example: void function(char *str) { char buffer[16]; strncpy(buffer, str, 256); } void…
JustForTest
  • 289
  • 2
  • 13
7
votes
2 answers

Execute shellcode by casting to function pointer in Visual C++

In gcc this works fine. The code goes something like: unsigned char b[50] = "\xda\xd1 ... \x0"; //some shellcode with terminating \x0 ( (void(*)())b )(); //cast b to function pointer from void to void, then run it But when this is put in Visual…
jcai
  • 3,448
  • 3
  • 21
  • 36
7
votes
2 answers

NULL-free shellcode

I am trying to convert an assembly program I wrote into NULL-free shellcode. However, I am unsure how to go about this for certain instructions. Some of them (in Intel syntax) include: push 0x1000 and mov BYTE [eax],0x31 I want to avoid using…
cytinus
  • 5,467
  • 8
  • 36
  • 47
7
votes
3 answers

Why use Push/Pop instead of Mov to put a number in a register in shellcode?

I have some sample code from a shell code payload showing a for loop and using push/pop to set the counter: push 9 pop ecx Why can it not just use mov? mov ecx, 9
Hawke
  • 564
  • 4
  • 19
1
2
3
45 46