3

Before anyone suggests the cdecl tool, I have already tried it. Strangely enough, most of the statements queried are returned with a syntax error warning.

Below is a C program I found online that does nothing but run a piece of shellcode.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv) {

char shellcode[] = "\xb0\x01\x31\xdb\xcd\x80";     

int (*func)();

func = (int (*)()) shellcode;
(int)(*func)();

return 0;

}

The program works as intended, but the C syntax is among the strangest I ever seen. I will try to interpret them as best I can.

int (*func)();

This statement declares func as a pointer (indicated by '*') to a function (indicated by '()') that returns an int.

func = (int (*)()) shellcode;

This statement typecasts the shellcode array as a pointer (indicated by '(*)') to a function (indicated by '()') that returns an int and assigns the pointer to func.

(int)(*func)();

This final statement executes the function (indicated by '()') pointed to by the pointer func (indicated by '(*func)') and typecasts the result as an integer.

I think that is what is going on here. If anyone more experienced with C sees any mistakes with my interpretations or can provide an alternative or more educational interpretation, I very much welcome your input.

I have never written variable initializations or function calls like this, so I am somewhat still quite confused about the syntax displayed. If you have a more readable way to write the code above, please also provide input.

Thank you.

haccks
  • 104,019
  • 25
  • 176
  • 264
AK-33
  • 167
  • 2
  • 10
  • 2
    That seems about right, – Some programmer dude Feb 23 '15 at 05:54
  • 3
    what? first of all, that code wouldn't even compile because the string is malformed. second of all, there is no way that code would run without segmentation fault of some sort. this is because: a. you're executing code in data space. b. the "code" is garbage. it's not real code. – thang Feb 23 '15 at 05:55
  • 3
    I obscured the actual shellcode (as indicated by the '...'). The program compiles successfully but does cause a seg fault. Just so you know, once the shellcode is executed, it sets certain CPU registers to particular values, which then reveal certain information when examined in GDB. I cannot reveal the purpose of the shellcode. And yes, this is also the worst use of pointers I have seen as well; hence the request for more expert input. – AK-33 Feb 23 '15 at 06:03
  • Nope. It doesn't compile. Tried it just now: error: \x used with no following hex digits – thang Feb 23 '15 at 06:06
  • 1
    @thang, `I obscured the actual shellcode ... ` – David Ranieri Feb 23 '15 at 06:11
  • 1
    "This statement typecasts the shellcode array as a pointer " - you're forgetting about (or didn't mention) array-pointer decay; the value being cast is the address of the first character in the array. – M.M Feb 23 '15 at 06:12
  • Pointer-to-function is assigned hex characters, then 'function' is called... Should we call this "Inline Machine Code"? – Nicolas Miari Feb 23 '15 at 06:15
  • possible duplicate of [What does this invocation of a char array cast as a function do?](http://stackoverflow.com/questions/28668138/what-does-this-invocation-of-a-char-array-cast-as-a-function-do) Funny, why did everyone read that article at the same time :-) – Ciro Santilli OurBigBook.com Aug 27 '15 at 14:57

1 Answers1

2

That's all correct, although I don't get why it casts the return value to an int; my suspicion is that even who wrote that wasn't all that confident with C function pointer syntax.

In the real world you would probably see the that code written using a typedef:

typedef (*funcT)();
funcT func = (funcT) shellcode;
(*func)();
Matteo Italia
  • 123,740
  • 17
  • 206
  • 299
  • I am also confused as to why the function call has been typecasted to int when this should have been rendered unnecessary after the declaration and assignment of func. – AK-33 Feb 23 '15 at 06:29
  • 1
    I suppose the `(int)` is to suppress a compiler warning about unused result of expession – M.M Feb 23 '15 at 06:54
  • 1
    @MattMcNabb in that case the idiomatic way would be to cast to void. – Matteo Italia Feb 23 '15 at 06:56