Best IT Recipes

Segmentation error with function byte coding?

I get a segmentation error when I run the following C program (compiled with gcc on Ubuntu).

#include <stdio.h> char f[] = "\x55\x48\x89\xe5\x48\x89\x7d\xf8\x48\x89\x75\xf0\x48\x8b\x45\xf8\x8b\x10\x48\x8b\x45\xf0\x8b\x00\x89\xd1\x29\xc1\x89\xc8\xc9\xc3"; int main() { int (*func)(); func = (int (*)()) f; int x=3,y=5; printf("%d\n",(int)(*func)(&x,&y)); return 0; }

Line f contains machine code for the following function.

 int f(int*a, int*b) { return *a-*b; }

cf :.

 fo: file format elf64-x86-64 Disassembly of section .text: 0000000000000000 <f>: 0: 55 push %rbp 1: 48 89 e5 mov %rsp,%rbp 4: 48 89 7d f8 mov %rdi,-0x8(%rbp) 8: 48 89 75 f0 mov %rsi,-0x10(%rbp) c: 48 8b 45 f8 mov -0x8(%rbp),%rax 10: 8b 10 mov (%rax),%edx 12: 48 8b 45 f0 mov -0x10(%rbp),%rax 16: 8b 00 mov (%rax),%eax 18: 89 d1 mov %edx,%ecx 1a: 29 c1 sub %eax,%ecx 1c: 89 c8 mov %ecx,%eax 1e: c9 leaveq 1f: c3 retq

This is compiled with:

 gcc test.c -Wall -Werror ./a.out Segmentation fault

Expected Result -2 - how can I make it work?

+2
c security runtime-error
Sep 16 '12 at 12:45
source share
2 answers

Interestingly, the linker did not complain that you were trying to bind char f[] = "..."; as a function of f() with your application. You are trying to call the f() function. There is a symbol f associated with the executable, but it seems that it is not a function, but a variable. And thus, he does not fulfill it. This is likely due to the stack execution security mechanism.

To get around this, provided you just need to get a string in the text segment of the process memory. You can achieve this by declaring the string as const char f[] .

From Stack Breaking for Fun and Profit, from Aleph One :

The text area is fixed by the program and includes code (instructions) and read-only data. This area corresponds to the text part of the executable file.

Since const char[] is read-only, the compiler places it with code in the text area. Thus, the execution prevention mechanism is prevented, and the machine can execute machine code in it.



Example:

 /* test.c */ #include <stdio.h> const char f[] = "\x55\x48\x89\xe5\x48\x89\x7d\xf8\x48\x89\x75\xf0\x48\x8b\x45\xf8\x8b\x10\x48\x8b\x45\xf0\x8b\x00\x89\xd1\x29\xc1\x89\xc8\xc9\xc3"; int main() { int (*func)(); func = (int (*)()) f; int x=3,y=5; printf("%d\n",(int)(*func)(&x,&y)); return 0; }

gives:

 $ gcc test.c -Wall && ./a.out -2

(Fedora 16, gcc 4.6.3)

+4
Sep 16 '12 at 13:20
source share

If I understand you correctly, are you trying to run simple code that is not in text space, but instead is in your static storage? If this does not succeed, then there can be only three reasons: either your code was not initialized correctly (unlikely in this simple case), your data space arrived (not like this in this simple case), or your system prevented it as a security measure (it is likely, since what you are trying to do is rather atypical, mainly used to use buffer overflows).

0
Sep 16 '12 at 12:56
source share


More articles:


All Articles