-1

Is there a way to get the return value of a function that is in the shellcode, without using pointer to function?

#include <stdio.h>   
unsigned char code[] = "\x55\x48\x89\xe5"
                       "\xb8\x05\x00\x00"
                       "\x00\x5d\xc3";     

int main(void) { 

    int (*p)(void) = (int(*)(void))code;
    printf("%d", p());
    return 0;
}
Michael Petch
  • 46,082
  • 8
  • 107
  • 198
Yuri Albuquerque
  • 474
  • 3
  • 14
  • 1
    Smells like an XY problem. What is wrong with calling through a function pointer? – Michael Petch Jun 24 '19 at 03:35
  • Nothing wrong, I just wanted to know if it was possible to call the function with inline assembly for example and write the return value of the function into a variable, it's just a curiosity I have. – Yuri Albuquerque Jun 24 '19 at 04:05
  • For example, if I did not need to get the function return I could do something like that, __asm __ ("jmp code") – Yuri Albuquerque Jun 24 '19 at 04:12

1 Answers1

1

Shellcode (see Wikipedia article Shellcode as well as this presentation Introduction to Shellcode Development) is machine code that is injected into an application in order to take over the application and run your own application within that application's process.

How the shellcode is injected into the application and starts running will vary depending on how the penetration is being done.

However for testing approaches for the actual shellcode, as opposed to approaches for injecting the shellcode in the first place, the testing is typically done with a simple program that allows you to (1) create the shellcode program that is to be injected as an array of bytes and (2) start the shellcode executing.

The simplest approach for this is the source code you have posted.

You have an array of unsigned char which contains the machine code to be executed.

You have a main() which creates a function pointer to the array of unsigned char bytes and then calls the shellcode through the function pointer.

However in a real world penetration what you would normally do is to use a technique whereby you would take over an application by injecting your shellcode into its process space and then triggering the execution of that shellcode. One such approach is a buffer overflow attack. See for example COEN 152 Computer Forensics Buffer Overflow Attack as well as Wikipedia article Buffer overflow.

See also

Also note that the approaches for shellcode attacks will vary depending on the operating system that is being attacked. For instance see this article Basics of Windows shellcode writing which explains some of the intricacies of writing a shellcode for accessing system calls in Windows. Compare to this article providing a way for How to write a Linux x86 shellcode.

Richard Chambers
  • 16,643
  • 4
  • 81
  • 106
  • Thanks for the answer, I already have a little knowledge about shellcode, but my intention was to know if it is possible to get the return value of a function, without using pointer to function. Wanted to know if it was possible to do with inline assembly – Yuri Albuquerque Jun 24 '19 at 04:09
  • @YuriAlbuquerque yes it is possible to get the return code using inline assembly. If that is what you want to know then you need to edit your posted question to include that information. – Richard Chambers Jun 24 '19 at 06:17
  • 1
    @YuriAlbuquerque and Richard - Most people *develop* shellcode by writing it in asm (e.g. NASM or GAS), not in machine-code directly. They use an assembler to turn asm source code into machine code and hexdump that or have the assembler make a hex listing. So normally you'd be testing your shellcode as the `_start` or `main` in a NASM program, for example. It's obviously easy to get the return value with a debugger, or with `strace` to see the value passed to the `exit` system call to get the full return value from main. (Not just the 8-bit process exit status.) – Peter Cordes Jun 27 '19 at 08:09