1

I have just started learning about Assembly Language. After gaining some basic knowledge I am trying to write some simple shellcode. Here is the given programme by which I am trying to simply print the "Hello, World!" text.

root@localhost:~/assembly/x86_64# cat jmpcallhello.nasm 
global _start 

section .text


_start:

        jmp call_shellcode 

shellcode:
        pop rsi 

        xor rax, rax
        mov al, 1
        xor rdi,rdi
        mov dil,1
        mov rdx, rdi
        add rdx, 13
        syscall

        xor rax, rax
        mov al, 60
        xor rdi, rdi 
        syscall

call_shellcode:
        call shellcode
        tset: db "Hello, World!",0xa
root@localhost:~/assembly/x86_64#

Then I created the object and binary file.

root@localhost:~/assembly/x86_64# nasm -f elf64 jmpcallhello.nasm -o jmpcallhello.o


root@localhost:~/assembly/x86_64# ld jmpcallhello.o -o jmpcallhello

root@localhost:~/assembly/x86_64# file jmpcallhello
jmpcallhello: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped

When I try to execute it, works perfectly.

root@localhost:~/assembly/x86_64# ./jmpcallhello
Hello, World!

But the problem comes when I tried to execute it with its objdump code.

Here is the objdump output:

root@localhost:~/assembly/x86_64# objdump -M intel -d jmpcallhello

jmpcallhello:     file format elf64-x86-64


Disassembly of section .text:

0000000000401000 <_start>:
  401000:       eb 1f                   jmp    401021 <call_shellcode>

0000000000401002 <shellcode>:
  401002:       5e                      pop    rsi
  401003:       48 31 c0                xor    rax,rax
  401006:       b0 01                   mov    al,0x1
  401008:       48 31 ff                xor    rdi,rdi
  40100b:       40 b7 01                mov    dil,0x1
  40100e:       48 89 fa                mov    rdx,rdi
  401011:       48 83 c2 0d             add    rdx,0xd
  401015:       0f 05                   syscall 
  401017:       48 31 c0                xor    rax,rax
  40101a:       b0 3c                   mov    al,0x3c
  40101c:       48 31 ff                xor    rdi,rdi
  40101f:       0f 05                   syscall 

0000000000401021 <call_shellcode>:
  401021:       e8 dc ff ff ff          call   401002 <shellcode>

0000000000401026 <tset>:
  401026:       48                      rex.W
  401027:       65 6c                   gs ins BYTE PTR es:[rdi],dx
  401029:       6c                      ins    BYTE PTR es:[rdi],dx
  40102a:       6f                      outs   dx,DWORD PTR ds:[rsi]
  40102b:       2c 20                   sub    al,0x20
  40102d:       57                      push   rdi
  40102e:       6f                      outs   dx,DWORD PTR ds:[rsi]
  40102f:       72 6c                   jb     40109d <tset+0x77>
  401031:       64 21 0a                and    DWORD PTR fs:[rdx],ecx


root@localhost:~/assembly/x86_64# for i in $(objdump -d jmpcallhello |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo
\xeb\x1f\x5e\x48\x31\xc0\xb0\x01\x48\x31\xff\x40\xb7\x01\x48\x89\xfa\x48\x83\xc2\x0d\x0f\x05\x48\x31\xc0\xb0\x3c\x48\x31\xff\x0f\x05\xe8\xdc\xff\xff\xff\x48\x65\x6c\x6c\x6f\x2c\x20\x57\x6f\x72\x6c\x64\x21\x0a

Here I can't see any bad character. Then I used this shellcode in this c file.

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x1f\x5e\x48\x31\xc0\xb0\x01\x48\x31\xff\x40\xb7\x01\x48\x89\xfa\x48\x83\xc2\x0d\x0f\x05\x48\x31\xc0\xb0\x3c\x48\x31\xff\x0f\x05\xe8\xdc\xff\xff\xff\x48\x65\x6c\x6c\x6f\x2c\x20\x57\x6f\x72\x6c\x64\x21\x0a";


int main()
{

        printf("Shellcode Length:  %d\n", (int)strlen(code));

        int (*ret)() = (int(*)())code;

        ret();

}

Then compiled it by gcc.

root@localhost:~/assembly/x86_64# gcc -fno-stack-protector -z execstack shellcode.c -o jmpcallshell

root@localhost:~/assembly/x86_64# file jmpcallshell
jmpcallshell: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b698c45d6f4fb5c94e58369ba677b1483e66f512, for GNU/Linux 3.2.0, not stripped

But when I try to run it. It says segmentation fault.

root@localhost:~/assembly/x86_64# ./jmpcallshell
Shellcode Length:  52
Segmentation fault
root@localhost:~/assembly/x86_64#

What's the problem here? Thanks in advance.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
iamnoobv_1
  • 11
  • 1
  • `unsigned char code[] = ...` goes in section `.data`, not the stack. On modern Linux kernels, `-z execstack` only makes the actual stack executable, not `.data`. If you debug with GDB, you should be able to confirm that the segfault is from code-fetch right after the compiler-generated code calls through the function pointer. – Peter Cordes Jun 20 '21 at 18:24
  • So if I want this to get in the stack what should I do? And is there any way to executable the .data section? – iamnoobv_1 Jun 20 '21 at 18:38
  • Note the 2nd linked duplicate (at the top of the question). My answer on [How to get c code to execute hex machine code?](https://stackoverflow.com/q/9960721) covers various ways to test shellcode. Including simply making your array a local variable inside a function, so it will be on the stack where `-z execstack` will make it executable. – Peter Cordes Jun 20 '21 at 18:47
  • Thanks, @petr cordes that was helpful.. – iamnoobv_1 Jun 22 '21 at 05:05

0 Answers0