• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

shellcode test

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More

View previous topic :: View next topic  
Author Message
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Mon Nov 28, 2005 3:18 pm    Post subject: shellcode test Reply with quote

Similar to makedeps' thread here , and in fact the code reads easier, to me at least.
I'm still having my pointer issues and probably still will for months.. can you check my logic with what each line of code is doing?
FYI the shellcode is fine and this example works just fine. Might help makedep too.

Code:

/*shellcodetest.c*/
char sc[] =
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";

main ()
{
/* this is declaring the function pointer, of type void , void may be anything. why is *fp in
brackets? why the (void) at the end as well, is it returning type void? */

void (*fp) (void);

/* this says fp = sc but why the (void *) in front of it? */

fp = (void *)sc;

/* I thought this was a function call that returned the shellcode but it's not actually a
function it's a pointer to the shellcode but I don't see why the () are there either */

fp();
}
[url][/url]
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Mon Nov 28, 2005 3:47 pm    Post subject: Reply with quote

Hey there MattA,

Actually Stormhawk had posted a nice explanation of function pointers in another thread - was there something you didn't understand at the time?

Ok, let's look at it line by line, inside the main function.

Code:
void (*fp) (void);

This is declaring a pointer to a function (with the pointer being called fp). The function returns void and takes no arguments (hence the void inside parenthesis).

The syntax for a function pointer is similar to that of a function prototype. For example, if you had the following function:
Code:
int square(int x)
{
  return x * x;
}

As you can see, function square receives an int and returns an int. If you were to declare a pointer to that function, you would do:
Code:
int (*pointer_to_square)(int) = square;

Notice the similarity? Whatever is in inside the (*...) is the actual pointer's name, the (int) is the type of the arguments it takes, and the int at the beginning is the type of value it returns.

Now, next line:
Code:
fp = (void *)sc;

This is making fp "point to" the same address which sc is pointing to. Remember a pointer is just a numeric variable like your basic integer, the only difference is how the computer will interpret the numeric value. In the case of a pointer, its value is supposed to be a memory address. As such, when you assign the value of a pointer to another one, you get the two "pointing" to the same place.

It all helps a great deal if you think as your process' memory space as a huge linear array of bytes (which it is, in concept). An address is simply the index for a byte in the array. A pointer is simply a variable that holds that index.

Now, the cast. This is simply a matter of type-checking. As you can see, sc is declared as an array of char; by definition, this means sc is the address of the first element in that array, so sc is a pointer to a char - a char *. fp, however, is a pointer to a function - a void (*)(void). If you just did fp = sc, the compiler would notice that you're assigning a value of one type to a variable that's meant to hold a different type. It would warn you, or issue an error. This is where the cast comes in - the (void *) thing in front of the sc. What the cast does is tell the compiler "interpret this as if it were a void *". As you know, void * is a generic pointer, so that sort of solves the problem. It is not the correct solution, though.

The correct thing to do here would be to cast the right value to the same type as the left value (thus eliminating the difference in types when you assign). In other words, we want to tell the compiler "I know sc is a different type than fp, but pretend sc is a pointer to a function that returns void and receives void". So, that line of code should be:
Code:
fp = (void (*)(void))sc;


Finally:
Code:
fp();

This is simply calling the function that fp points to. The () are there because it's a function call, just like fork() or printf("bla"). And what is the function that fp points to, I hear you ask? Well, the shellcode, of course (the previous line made sure of that). Note that fp() is not a function call that returns the shellcode, it is executing the shellcode.

HTH


Last edited by capi on Tue Nov 29, 2005 12:16 am; edited 1 time in total
Back to top
View user's profile Send private message
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Mon Nov 28, 2005 5:50 pm    Post subject: Reply with quote

cheers capi, I'm reading up quite a lt on pointers but it does'nt always seem to go in Wink
Back to top
View user's profile Send private message
Stormhawk
Trusted SF Member
Trusted SF Member


Joined: 26 Aug 2003
Posts: 31
Location: Warwickshire, England, UK

Offline

PostPosted: Mon Nov 28, 2005 6:06 pm    Post subject: Reply with quote

Damn, capi got here first on this one!

I was looking forward to answering that question!
Back to top
View user's profile Send private message Visit poster's website
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Tue Nov 29, 2005 12:01 am    Post subject: Reply with quote

Stormhawk wrote:
Damn, capi got here first on this one!

I was looking forward to answering that question!

Aw, sorry about that Razz

I wasn't even going to answer at first (figured you would) but I was bored Wink
Back to top
View user's profile Send private message
Stormhawk
Trusted SF Member
Trusted SF Member


Joined: 26 Aug 2003
Posts: 31
Location: Warwickshire, England, UK

Offline

PostPosted: Tue Nov 29, 2005 12:12 am    Post subject: Reply with quote

Haha, yeah I would have answered. But we can't have a bored capi!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register