shellcode

问题 I'm looking at example abo3.c from Insecure Programming and I'm not grokking the casting in the example below. Could someone enlighten me? int main(int argv,char **argc) { extern system,puts; void (*fn)(char*)=(void(*)(char*))&system; char buf[256]; fn=(void(*)(char*))&puts; strcpy(buf,argc[1]); fn(argc[2]); exit(1); } So - what's with the casting for system and puts? They both return an int so why cast it to void? I'd really appreciate an explanation of the whole program to put it in

问题 So after I compile and execute my program I get the following error message that reads: "Segmentation fault", and the strace error message reads: --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Segmentation fault Question is, any ideas how I can fix this error and display the message in the shell code? Assembly code: ;r3v.asm ;r3v3rs3c - 3x_z3r0 [SECTION .text] global _start _start: jmp short ender starter: xor eax, eax xor ebx, ebx xor edx, edx xor ecx, ecx mov al, 4

问题 I am trying to compile this using the terminal on ubuntu 12: #include <stdio.h> #include <stdlib.h> main() { /*declare argument array*/ char *args[2]; args[0] = “/bin/bash”; args[1] = NULL; execve(args[0], args, NULL); exit(0); } I found this example on http://www.securitytube.net/video/235 which also happened to be the one Aleph One used in 'Smashing the Stack for Fun and Profit'. I am aware that much has changed since then. In more simple examples I have used: gcc -ggdb -mpreferred-stack

问题 I just started looking into how buffer overflow attacks work, and tried simulating an attack on Windows 7 using Visual C 2010. The buffer overflow attack is very contrived, it just overwrites the return address to the address of the "buffer" local variable. The buffer holds the string of shellcode. Whether I run the program in Visual Studio 2010 Debug or not, the program will jump to the shellcode and almost begins execution of it, but I get an Access Violation error, and the program will not

问题 Usually we all see the basic buffer overflow format which has :- NOPs + shellcode + return_address Why dont we use, NOPs + return_address + shellcode? where we make the return address point to the start of the shellcode? Im guessing that this is because we might be trying to write data outside the stack segment if the vulnerability is in the main(). Am I right? If I am, is that the only reason? Oh, and yes I am not referring to other kinds of attacks which use return-to-libc, ptrace etc. ; I

问题 This question was migrated from Information Security Stack Exchange because it can be answered on Stack Overflow. Migrated 5 years ago . I want to convert this assembly program to shellcode. This program just creates a file , my purpose is how I should convert assembly to shellcode when I using extern command in it My assmbly code is : extern _fopen,_fclose global main section .text main: xor r10,r10 push r10 mov r13, 0x6277 push r13 mov rsi,rsp push r10 mov r13, 0x726964656b616d push r13 mov

问题 I'm writing a Linux shell code exploit. My target C code is: char code[] = "\xb0\x01\x31\xdb\xcd\x80"; int main(int argc, char **argv) { int(*func)(); func = (int (*)()) code; (Int)(*func)(); } Why does compiling and running this C program raise a segmentation fault error? The string is shell code that exits the program using the system call Int 0x80/EAX=1. The original exploit code in assembly is: b0 01 mov al,0x1 31 db xor ebx,ebx cd 80 int 0x80 回答1: You are not setting eax=0x1 , you are

问题 I'm trying to execute this simple opcode for exit(0) call by overwriting the return address of main. The problem is I'm getting segmentation fault. #include <stdio.h> char shellcode[]= "/0xbb/0x14/0x00/0x00/0x00" "/0xb8/0x01/0x00/0x00/0x00" "/0xcd/0x80"; void main() { int *ret; ret = (int *)&ret + 2; // +2 to get to the return address on the stack (*ret) = (int)shellcode; } Execution result in Segmentation error. [user1@fedo BOF]$ gcc -o ExitShellCode ExitShellCode.c [user1@fedo BOF]$ .

问题 Purpose : I was trying to take advantage of the RIP mode in x86-64. Even though the assembly performs as expected on its own, the shellcode does not. The Problem : Concisely what I tried was this, jmp l1 str1: db "some string" l1: other code lea rax, [rel str1] I used the above at various places, it failed only at certain places and succeeded in other places. I tried to play around and could not find any pattern when it fails. When variable(str1: db instruction) position is after the

问题 I don't quite understand how variables can be stored in the text section and how they can be manipulated. Shouldn't all variables be in the .data section and aren't all part of the .text section read-only? How does this code work then? [Code taken from Shellcoder's Handbook ] Section .text global _start _start: jmp short GotoCall shellcode: pop esi xor eax, eax mov byte [esi + 7], al lea ebx, [esi] mov long [esi + 8], ebx mov long [esi + 12], eax mov byte al, 0x0b mov ebx, esi lea ecx, [esi +