im new at shellcoding i try to write a shellcode for ( hello world ) so this is my first code with nulled bytes :
global _start
section .text
_start: ;tell linker entry point
mov edx,len ;message length
mov ecx,msg ;message to write
mov ebx,1 ;file descriptor (stdout)
mov eax,4 ;system call number (sys_write)
int 0x80 ;call kernel
mov eax,1 ;system call number (sys_exit)
int 0x80 ;call kernel
section .data
msg db 'Hello, world!',0xa ;our dear string
len equ $ - msg ;length of our dear string
and this is my second code after i remove null x00 !!
global _start
section .text
_start:
;tell linker entry point
xor edx,edx
mov dl,len ;message length
mov ecx,msg ;message to write
xor ebx,ebx
mov bl,1 ;file descriptor (stdout)
xor eax,eax
mov al,4 ;system call number (sys_write)
int 0x80 ;call kernel
xor eax,eax
mov al,1 ;system call number (sys_exit)
int 0x80 ;call kernel
section .data
msg db 'Hello, world!',0xa ;our dear string
len equ $ - msg ;length of our dear string
i compile it to test by :
nasm -f elf32 -o hello-without-null.o hello-without-null.asm
ld -o hello-without-null hello-without-null.o
its work when i run it ./hello-without-null
than i used : objdump -d hello-without-null -M intel
and this is the result :
Disassembly of section .text:
08048080 <_start>:
8048080: 31 d2 xor edx,edx
8048082: b2 0e mov dl,0xe
8048084: b9 9c 90 04 08 mov ecx,0x804909c
8048089: 31 db xor ebx,ebx
804808b: b3 01 mov bl,0x1
804808d: 31 c0 xor eax,eax
804808f: b0 04 mov al,0x4
8048091: cd 80 int 0x80
8048093: 31 c0 xor eax,eax
8048095: b0 01 mov al,0x1
8048097: cd 80 int 0x80
then i convert it to shellcode by :
objdump -d ./hello-without-null|grep '[0-9a-f]:'|grep -v 'file'|cut
-f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
the output is :
"\x31\xd2\xb2\x0e\xb9\x9c\x90\x04\x08\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
when i test it i got this error :
Shellcode Length: 25 Segmentation fault (core dumped)
my c code for testing :
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xd2\xb2\x0e\xb9\x9c\x90\x04\x08\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
so what is the problem ?? and how i can solve it ?
i solve it by changing
char shellcode[]
to
const char shellcode[]
and using using the JMP/CALL/POP method
Related
Trying to display the date and it tells me I need a coma after the operand in line 16
section .text
global _start ;must be declared for using gcc
_start: ;tell linker entry point
mov edx, len ;message length
mov ecx, msg ;message to write
mov ebx, 1 ;file descriptor (stdout)
mov eax, 4 ;system call number (sys_write)
int 0x80 ;call kernel
mov eax, 1 ;system call number (sys_exit)
int 0x80 ;call kernel
section .data
msg db 'Hello, world!',0xa ;our dear string
len equ $ - msg ;length of our dear string
dt db __DATE__ ,0xa
len2 equ $ - dt
global _start
section .data
var dq 12494F04A6344129h
msg db "The number of times 4 present in the given number"
len equ $-msg
novar db 00
section .bss
section .text
mov dl,0Ah
mov cl,10
_start :
mov rsi,var
up: mov al,byte ptr [rsi]
mov ah,00
div dl
cmp ah,04
je dn
jne dn1
dn: inc byte[novar]
dn1: inc rsi
dec cl
jne up
jmp exit
exit: mov eax,4
mov ebx,1
mov ecx,msg
mov edx,len
int 80h
mov eax,4
mov ebx,1
mov ecx,novar
mov edx,1
int 80h
mov eax,1
mov ebx,0
int 80h
Nasm doesn't use "ptr" - that won't even assemble.
The first two lines - above the _start: label - are never executed, so those registers are never initialized. That's probably what causes the exception. dl is probably zero!
len is fine - it's an equate, not a variable.
You probably want to add the character '0' to novar before printing it.
None of this looks useful to me. Are you sure this is the question you're trying to answer, #Shubham Satpute?
I'm trying to get information about file permissions. I am using the sys_access system call. Here is my code snippet:
mov eax, 33
mov ebx, fileName
mov ecx, 1
int 80h
cmp eax, 0
jl .error
If eax is -1 there is an error, and I am not getting one, but I need to check all the permissions of the file (owner, group, others). How do I do that?
You can use the kernel function sys_newstat (No. 106 - look at this table) to get the file permissions. The structure stat is a never ending horror, but the following example works at least on my Debian Wheezy 64 bit (NASM, 32-bit and 64-bit modes):
SECTION .data
filename db '/root' ; Just an example, can be replaced with any name
filename_len equ $ - filename ; Length of filename
db 0 ; Terminator for `Int 80h / EAX = 106`
perm_out db 'Permissions: '
perm db 'drwxrwxrwx'
perm_len equ $ - perm ; Index of last character in `perm`
lf db 10
perm_out_len equ $ - perm_out ; Length of `Permissions: ...\n`
SECTION .bss
stat resb 256 ; Way too much, but size is variable depending on OS
SECTION .text
global _start
_start:
mov eax,4 ; sys-out
mov edx,filename_len ; length of string to print
mov ecx,filename ; Pointer to string
mov ebx,1 ; StdOut
int 0x80 ; Call kernel
mov eax,4 ; sys-out
mov edx,1 ; Length of string to print
mov ecx, lf ; Pointer to string
mov ebx,1 ; StdOut
int 0x80 ; Call kernel
mov eax, 106 ; sys_newstat
mov ebx, filename ; Pointer to ASCIIZ file-name
mov ecx, stat ; Pointer to structure stat
int 80h
test eax, eax
jz .noerr
mov eax,1 ; sys_exit
mov ebx,1 ; Exit code, 1=not normal
int 0x80 ; Call kernel
.noerr:
movzx eax, word [stat + 8] ; st_mode (/usr/include/asm/stat.h)
mov ebx, perm_len
; rwx bits
mov ecx, 9
.L1:
sub ebx, 1
shr eax, 1
jc .J1
mov byte [perm + ebx], '-'
.J1:
loop .L1
; directory bit
sub ebx, 1
shr eax, 6
jc .J2
mov byte [perm + ebx], '-'
.J2:
mov eax,4 ; sys-out
mov edx,perm_out_len ; Length of string to print
mov ecx,perm_out ; Pointer to string
mov ebx,1 ; StdOut
int 0x80 ; Call kernel
mov eax,1 ; sys_exit
mov ebx,0 ; Exit code, 0=normal
int 0x80 ; Call kernel
I'm learning NASM now, linux system calls probably. I'm trying to copy a process and call linux utility, but have same troubles with execvp, I don't know how to pass arguments into it. How I can do this right?
SECTION .data
cmd_cat: db '/bin/cat', 0
arg_cat: db 'log.txt', 0
cat: dd cmd_cat, arg_cat, 0
fd1: dw 0, 0
pipe_error_message: db 'pipe error occured', 0xa
pipe_error_message_length: equ $ - pipe_error_message
fork_error_message: db 'fork error occured', 0xa
fork_error_message_length: equ $ - fork_error_message
SECTION .text
GLOBAL _start:
_start:
;call pipe(fd1)
;42 - pipe system call number
mov eax, 42
mov ebx, fd1
;call kernel to execute
int 080h
cmp eax, 0
jne pipe_error
;call pipe(fd2)
mov eax, 42
mov ebx, fd1
int 080h
cmp eax, 0
jne pipe_error
;fork()
mov eax, 2
int 080h
cmp eax, -1
je fork_error
jnz child_cat
call exit
;displays error message and finishes the programm when something is wrong with pipe
pipe_error:
mov edx, pipe_error_message_length
mov ecx, pipe_error_message
call sys_write
call exit
;displays error message and finishes the programm when something is wrong with fork
fork_error:
mov edx, fork_error_message_length
mov ecx, fork_error_message
call sys_write
call exit
;sys_write(unsigned int fd, const char __user *buf, size_t count);
sys_write:
mov ebx, 1
mov eax, 4
int 080h
;exit(0)
exit:
mov eax,1
mov ebx,0
int 080h
child_cat:
mov ebx, [fd1]
mov eax, 6
int 080h
;dup2(fds[1],1)
mov ecx, 1
mov ebx, [fds + 4]
mov eax, 63
int 080h
mov eax, 11
mov ebx, cmd_cat
mov ecx, cat
int 080h
The following code works for me in the gas assembler. I have explained what it does, so hopefully someone else can provide the nasm translation.
.text
.global _start
_start:
movl $0xb, %eax # system call 0xb (execve) goes in eax
movl $arg0, %ebx # put the _address_ of the command string
# in ebx (we are providing a pointer)
movl $ptrarray, %ecx # put the _address_ of the array of pointers
# to arguments in ecx (again, a pointer)
movl $0, %edx # put a literal zero in edx (we don't have
# environment variables to pass, so we give
# a null pointer)
int $0x80 # run the system call
.data
ptrarray: # This is the array of pointers to command line
# arguments
.long arg0, arg1, 0 # The first element is a _pointer_ to the command
# The second element is a _pointer_ to an argument
# The third is a null pointer to indicate no more
arg0: # This is the command string
.asciz "/bin/cat"
arg1: # This is the argument string
.asciz "file.txt"
I started learning how to write programs using the NASM assembly programming language. I wrote this simple program that prompts the user to enter two numbers and then adds the two operands together. I got it to compile with no errors or warnings, but when it prompts the user for the two numbers and it begins to add the two numbers it prints out segmentation fault and program ends. I know a segmentation fault is the equivalent to an access reading / writing violation exception in the Win32 world. But, because I don't know how to debug NASM code; I can't figure out what is wrong. I suspect it has to do with an invalid pointer; but I don't know. Here is the code below:
section .data
msg1: db 'Please Enter A Number: ', 0
length1: equ $ - msg1
msg2: db 'Please Enter A Second Number: ', 0
length2: equ $ - msg2
section .bss
operand1: resb 255
operand2: resb 255
answer: resb 255
section .text
global _start
_start:
; Print first message
mov eax, 4
mov ebx, 1
mov ecx, msg1
mov edx, length1
int 80h
; Now read value
mov eax, 3
mov ebx, 1
mov ecx, operand1
mov edx, 255
int 80h
; Print second message
mov eax, 4
mov ebx, 1
mov ecx, msg2
mov edx, length2
int 80h
; Now read second value
mov eax, 3
mov ebx, 1
mov ecx, operand2
mov edx, 255
int 80h
; Now add operand1 and operand2 and print answer
mov eax, 4
mov ebx, 1
xor ecx, ecx ; Make the ecx register 0
mov ecx, operand1
add ecx, operand2
mov edx, 510
int 80h
(Aside: you should be reading from STDIN_FILENO = 0, not STDOUT_FILENO = 1. Also, you're writing a NUL character and you shouldn't.)
The problem is that operand1 and operand2 are addresses to memory locations holding characters you've read. When you add them, you get a pointer to invalid memory.
You'll have to convert them to integers, add them, and convert back to a string, before you can write it out.
Value in ecx is an address of string that is to be printed when you call int 80h. Last part does not make sense
mov eax, 4
mov ebx, 1
xor ecx, ecx ; Make the ecx register 0
mov ecx, operand1
add ecx, operand2 ; **<<< invalid memory address now in ECX !!!**
mov edx, 510
int 80h
because you are adding address of string operand1 and address of string operand2 and trying to print whatever is located ant resulting address which is most likely points to nowhere.
To debug your program with gdb you can do:
nasm -f elf64 -g -l q1.lst q1.asm
gcc -o q1 q1.o
I replaced the "_start" with "main" so that gcc won't complain, and you can skip the 64 in "-f elf64" if you are building on 32 bit platform.
gdb q1
Here is an example f gdb session:
(gdb) br main
Breakpoint 1 at 0x4004d0: file q1.asm, line 20.
(gdb) r
Starting program: /home/anonymous/Projects/asm/q1
Breakpoint 1, main () at q1.asm:20
20 mov eax, 4
(gdb) n
21 mov ebx, 1
(gdb) n
22 mov ecx, msg1
(gdb) n
23 mov edx, length1
(gdb) p msg1
$1 = 1634036816
(gdb)