I am trying to place and execute program code in a shared memory area. Initializing and allocating shared memory, as well as copying shellcode to the βnewβ memory, works as intended, but as soon as I try to execute it, it wonβt work. Can anyone understand what the problem is?
I think write(1, 0x6000d8, 13) = -1 EFAULT (Bad address) might be an error? What could be the reason for this?
I have included code and error output. The C code is based on Adam Rosenfield's answer in this question .
C code
#include <string.h> #include <sys/mman.h> // My own shellcode, obtained through objdump // works on its own (a hello world-program) const char shellcode[] = "\xb8\x01\x00\x00\x00\xbf\x01\x00\x00\x00\x48\xbe\xd8\x00\x60\x00\x00\x00\x00\x00\xba\x0d\x00\x00\x00\x0f\x05\xb8\x3c\x00\x00\x00\xbf\x00\x00\x00\x00\x0f\x05"; int main(int argc, char **argv) { void *mem = mmap(0, sizeof(shellcode), PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0); memcpy(mem, shellcode, sizeof(shellcode)); mprotect(mem, sizeof(shellcode), PROT_READ|PROT_WRITE|PROT_EXEC); int (*func)(); func = (int (*)())mem; (int)(*func)(); munmap(mem, sizeof(shellcode)); return 0; }
Strace Magazine
execve("./memory", ["./memory"], [/* 17 vars */]) = 0 brk(NULL) = 0x557b5e17e000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb8ba434000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=92611, ...}) = 0 mmap(NULL, 92611, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb8ba41d000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\5\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1856752, ...}) = 0 mmap(NULL, 3959200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb8b9e4c000 mprotect(0x7fb8ba009000, 2097152, PROT_NONE) = 0 mmap(0x7fb8ba209000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bd000) = 0x7fb8ba209000 mmap(0x7fb8ba20f000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb8ba20f000 close(3) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb8ba41b000 arch_prctl(ARCH_SET_FS, 0x7fb8ba41b700) = 0 mprotect(0x7fb8ba209000, 16384, PROT_READ) = 0 mprotect(0x557b5dd04000, 4096, PROT_READ) = 0 mprotect(0x7fb8ba437000, 4096, PROT_READ) = 0 munmap(0x7fb8ba41d000, 92611) = 0 mmap(NULL, 40, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = 0x7fb8ba433000 mprotect(0x7fb8ba433000, 40, PROT_READ|PROT_WRITE|PROT_EXEC) = 0 write(1, 0x6000d8, 13) = -1 EFAULT (Bad address) exit(0) = ? +++ exited with 0 +++
Shellcode source
section .data msg db "hello, world!" section .text global _start _start: mov rax, 1 mov rdi, 1 mov rsi, msg mov rdx, 13 syscall mov rax, 60 mov rdi, 0 syscall