1

I would like to override the interrupt vector number, so I tried to do this:

section .text

global _start

_start:

mov al, 0x7f
inc al
mov byte [ override + 1 ] , al

mov eax, 1
mov ebx, 1

override: 
int 0x20

This code should simply call the syscall exit. But when I execute it, I get a Segmentation fault.

I don't understand why, because[ override + 1 ] should be the address of 0x20, and al is 1 byte big and I also made a typecast to byte, so they are the same size.

GDB says it happens at this line:

mov byte [ override + 1 ] , al

What is the problem here? How can it be solved?

I compile and link like this:

nasm -f elf test.asm
ld -m elf_i386 -o test test.o
Jester
  • 56,577
  • 4
  • 81
  • 125
Krupuk
  • 21
  • 4
  • There's a good chance that your text segment is read-only. – Michael Dec 06 '15 at 15:05
  • 3
    This is known as "self-modifying code", which is prevented in most environments, unless you make some OS-specific calls to allow it (typically you copy the code to somewhere writeable, modify it, and then mark it as executable). – Paul R Dec 06 '15 at 15:07
  • @Michael Is there a special segment, where I can also write? Or how can I change the text segment to be read- and writeable? – Krupuk Dec 06 '15 at 15:08
  • @PaulR Could you then please help mit with an answer at my other question: http://stackoverflow.com/questions/34110045/shellcode-without-x80/ – Krupuk Dec 06 '15 at 15:10
  • @PaulR "typically you copy the code to somewhere writeable, modify it, and then mark it as executable" If you mark the code then as executable, who will in the end execute it? My two questions are regarding shellcode. – Krupuk Dec 06 '15 at 15:35
  • 2
    You can create a writable section as per [my answer here](http://stackoverflow.com/a/21853226/547981). – Jester Dec 06 '15 at 15:45
  • @Jester Thank you this worked on my computer! But it didn't change the machinecode, so if I let another computer execute the machinecode (I'm talking of shellcode) then it will not work for him, right? – Krupuk Dec 06 '15 at 16:38
  • @Krupuk: Your code changes the machine code stored in RAM. Unless you mmap the executable read-write and make the change there, the change won't affect the copy on disk. – Peter Cordes Dec 06 '15 at 17:31
  • @PeterCordes Oh, I see. So I also cannot mov 0x80 to an address which is outside of my shellcode? My last idea was to write the machinecode of int 0x80 to an address outside of my shellcode, so I will not modify any of my machine code. And then I make a call to that address. Will this also not work? Or do you have any other idea for working shellcode without \x80? – Krupuk Dec 06 '15 at 17:37
  • 1
    @Krupuk: your self-modifying-code idea looks fine for avoiding certain bytes in shellcode. I don't know what you meant by "it didn't change the machinecode". I thought you meant it didn't change the file on disk; that's what I was talking about with using `mmap`. If you can get a chunk of data to be run as code, that's usually only possible if it's mapped read, write AND execute. Testing it as a normal program is the problem. Also, if the shellcode only needs to run once, you could make it smaller with `add byte [override+1], 0x60` to change it from `int 0x20` to `int 0x80`. – Peter Cordes Dec 06 '15 at 18:01

0 Answers0