Testing Shellcode From C - Bus Error 10

Question

Below, I written x64 assembly that prints \'Hello, World!\' from a syscall on Mac OS X 10.8. It assembles and runs perfect when executed standalone.

; Assemb         


        

Answer 1

Your program tries to execute the shellcode from a memory paged marked "execute disable", which is the default for memory in the data section. That's why you see the KERN_PROTECTION_FAILURE. You need to put the shellcode in the text section:

__attribute__((section("__TEXT,__text")))
char code[] = ...

After doing that, your program works fine:

$ clang -Wall -Wextra -pedantic -O2 example.c -o example
$ ./example
Hello, World!

Editorial note: You don't need the typecast on your function pointer invocation. Just ret(); will be fine. You'll need to get rid of at least the (int) part to compile without warnings.

Edit:

Here's a program that works without requiring you to do section-override gymnastics:

#include <sys/mman.h>
#include <inttypes.h>
#include <unistd.h>

char code[] = "\x55\x48\x89\xe5\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x04\x4c"
              "\x89\xc0\x48\x31\xff\x66\xbf\x01\x00\xeb\x1e\x5e\x48\x31\xd2\xb2"
              "\x0e\x0f\x05\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x01\x4c\x89"
              "\xc0\x31\xff\x0f\x05\x48\x89\xec\x5d\xe8\xdd\xff\xff\xff\x48\x65"
              "\x6c\x6c\x6f\x2c\x20\x57\x6f\x72\x6c\x64\x21\x0a";

int main()
{
    int (*ret)() = (int (*)())code;
    void *page = (void *)((uintptr_t)code & ~(getpagesize() - 1));

    mprotect(page, sizeof code, PROT_EXEC);

    ret();

    return 0;
}

Example runs:

$ clang -O2 -Wall -Wextra example.c -o example
$ ./example
Hello, World!
$ gcc -O2 -Wall -Wextra example.c -o example
$ ./example
Hello, World!