Why am I getting a segmentation fault? (Testing Shellcode)

Asked 9/1, 2014 at 21:9 Answered 3/3, 2022 at 13:30

I wrote a simple ASM file and ran it in a C file I'd written. I got a segentation fault. However, when I execute the compiled ASM file, I get no error.

I am running 64 bit and using 32 bit shellcode. Is that the issue?

It can't be, because I'm getting a segmentation fault with this:

char shellcode[] = "\x90"; //simple NOP in ASM
int main(int argc, char **argv)
{
  int (*ret)();
  ret = (int (*)()) shellcode;
  (int)(*ret)();
}

Can someone please run this and tell me whether or not they get a segmentation fault. I have used 3 or 4 other C files as well. None have worked.

Update:

((void(*)(void))code)();

Seems to be working in place of those three lines.

Sales answered 9/1, 2014 at 21:9 Comment(11)

That is not how you use inline assembler... first, which compiler are you using? Here is how you do it with "gcc". – Vu 9/1, 2014 at 21:12

I think we have a problem of endian　and stack frame. – Fraise 9/1, 2014 at 21:17

On what platform (what operating system, what compiler)? It could be because your heap isn't executable. – Wiatt 9/1, 2014 at 21:17

"/x90" is supposed to be an address? – Pauperize 9/1, 2014 at 21:22

It's unlikely that an x86-64 OS will let you execute data in any case. – Sommerville 9/1, 2014 at 21:25

@Gilles What heap are you referring to? His "shellcode" is not on the heap. – Imogene 9/1, 2014 at 21:28

@claptrap Sorry, right, static data. But the point still stands — it may be in a non-executable zone depending on the platform. – Wiatt 9/1, 2014 at 21:29

Hello! Thanks for the responses. A friend informed me that my C is what "needs a lot of work". Using ((void(*)(void))shellcode)(); works. I'm getting confused on the pointers casting as function syntax. – Sales 9/1, 2014 at 21:45

I get the same issue, but this doesn't work for me either:(. I think I have to install a 32bits ubuntu. – Claus 18/6, 2014 at 12:11

I just try on my ubuntu 32 bits, not working either :( – Claus 18/6, 2014 at 12:17

I asked a very similar question a while ago, and received quite a good answer to it, given by @Drew McGowen: https://mcmap.net/q/1171855/-execute-a-piece-of-code-from-the-data-section/1382251. – Yee 21/9, 2014 at 13:40

As mentioned above the shellcode is in non-executable memory. Try recompiling the program with the -fno-stack-protector and the -z execstack flags enabled.

That is:

gcc -fno-stack-protector -z execstack -O OutputFileName yourShellCode.c

Ambiversion answered 21/9, 2014 at 13:25 Comment(1)

Alternatively, one can also run execstack OutputFileName on a binary already compiled without these supplementary parameters. – Cricket 5/7, 2016 at 20:2

Two issues:

The shell code might be in non-executable memory. In order to make it executable, you need to either ask the OS to make it executable (e.g. with mprotect(2) or VirtualProtect()), or allocate new executable memory and copy it there (e.g. with mmap(2) or VirtualAlloc().
Your shell code doesn't return/exit. After the CPU executes your NOP there (0x90), it's going to keep on executing code in the memory that comes after that NOP instruction. Most likely, this will crash quickly, but it might do other random, unpredictable things.

To fix #2, you need to explicitly either execute a return instruction (C3 on x86/x86-64) to return from your shell code, or you need to do something which never returns, like call the exit(3) function.

Nickelplate answered 9/1, 2014 at 21:54 Comment(0)

Maybe you should change your variable :

   char shellcode[]

To:

   const char shellcode[]

Like in this question: segmentation-fault-error-when-exe-c

This one worked for me! :)

Halvaard answered 21/5, 2015 at 19:39 Comment(1)

that did it! OS: Arch Linux x86_64 Kernel Release: 4.9.8-1-ARCH Uptime: 2:41 WM: i3 DE: None Packages: 765 RAM: 2405 MB / 5963 MB Processor Type: Intel(R) Core(TM) i5 CPU M 430 @ 2.27GHz $EDITOR: None Root: 16G / 69G (23%) (ext4) – Deforce 25/3, 2017 at 16:3

Try put the shellcode in the main function to make it a local variable:

int main(int argc, char **argv)
{
  const char shellcode[] = "<your shellcode>";
  int (*ret)();
  ret = (int (*)()) shellcode;
  (int)(*ret)();
}

Then compile it with flags -fno-stack-protector and -z execstack:

gcc <filename>.c -fno-stack-protector -z execstack -o <filename>

I found this idea on stackexchange and it worked for me.

Docket answered 3/3, 2022 at 13:30 Comment(0)

Recommended topics

Hot tags