NASM - The Netwide Assembler
NASM Forum => Programming with NASM => Topic started by: grimoire on September 03, 2013, 03:17:14 AM
-
Hi.
I was watching a video about a shellcode example in "open security training", and they made an example about nulls and execve
this is the code source
.text
.global _start
_start:
jmp MyCallStatement
ShellCode:
popl %esi
xorl %eax, %eax
movb %al, 0x9(%esi)
movl %esi, 0xa(%esi)
movl %eax, 0xe(%esi)
movb $11, %al
movl %esi, %ebx
leal 0xa(%esi), %ecx
leal 0xe(%esi), %edx
int $0x80
MyCallStatement:
call ShellCode
ShellVariables:
.ascii "/bin/bashABBBBCCCC"
I was trying to do the same code using nasm but had a error, so using GDB, I found this message
[BITS 32]
section .text
global _start
_start:
jmp callstatment
shellcode:
pop esi
xor eax, eax
mov byte[esi + 0x9], al
mov dword[esi + 0xA], esi
mov dword[esi + 0xE], eax
mov byte al, 11
mov ebx, esi
lea ecx, [esi + 0x9]
lea edx, [esi + 0xE]
int 0x80
callstatment:
call shellcode
shellvariable: db "/bin/bashABBBBCCCC",0
"Program received signal SIGSEGV, Segmentation fault.
0x08048065 in shellcode ()"
So, here is the problem
Dump of assembler code for function shellcode:
0x08048062 <+0>: pop %esi
0x08048063 <+1>: xor %eax,%eax
=> 0x08048065 <+3>: mov %al,0x9(%esi)
0x08048068 <+6>: mov %esi,0xa(%esi)
0x0804806b <+9>: mov %eax,0xe(%esi)
0x0804806e <+12>: mov $0xb,%al
0x08048070 <+14>: mov %esi,%ebx
0x08048072 <+16>: lea 0x9(%esi),%ecx
0x08048075 <+19>: lea 0xe(%esi),%edx
0x08048078 <+22>: int $0x80
but I don't know what is wrong, somebody can checking it please
btw, the AT&T code, show me the same error
regards
-
I think the issue is writing to your .text section. In Nasm, we can do:
section .text write
Nasm will make the .text section writable in the .o file - you can see it in a dump. But ld, in its infinite wisdom, knows that .text is supposed to be readonly and changes it back. Calling your .text section something else:
section .kode exec write
will fool ld. I suspect that the "right" way is a linker script, but I don't know the syntax.
I usually don't mess with "shellcode" since I don't know any legitimate reason to do things that way!
Best,
Frank
-
I think you're right about ".text"
I don't know why this happen but with the opcodes and using it in a C code... works fine