Programming Forums
User Name Password Register
 

RSS Feed
FORUM INDEX | TODAY'S POSTS | UNANSWERED THREADS | ADVANCED SEARCH

Reply
 
Thread Tools Display Modes
Old Jan 3rd, 2006, 5:34 PM   #1
para
Programmer
 
Join Date: Dec 2005
Posts: 65
Rep Power: 3 para is on a distinguished road
executing code in the data segment
I'm attempting to execute code in the data segement, but I can't really seem to find much on this topic.

Here's an overview of what I have now:
(Toggle Plain Text) 
unsigned char block[50] = {0};

/* ...code to fill block with machine instructions here... */

/* try to execute the block with an assembly call */
__asm__ (
	"mov %0, %%eax;\
	call *%%eax;"
	:			/* no output */
	: "r" (block)		/* input variable, replaces %0 in above code */
	: "eax"			/* tell gcc eax may have changed */
);

I'm using GNU GCC as the compiler.

When I try to run this, I get a segfault. I think it might be one of two (possibly both) things:
  1. The block stored in the data segment does not have the execute permission
  2. The address I'm attempting to invoke is incorrect

The the first, I tried using mprotect to set the execute permission:
(Toggle Plain Text) 
int pagesize = getpagesize();
void* target = (block - ((long)block % pagesize)));
mprotect(target, 100, (PROT_READ | PROT_WRITE | PROT_EXEC));
However this code would fail.

For the second, I noticed the address of block is 0xffffd030, which seems unlikely to me. I'm not too familiar with assembly, and I think I may need to use a lea instruction rather than a plain mov, but I'm not certain.

Also, is there a way to do this in C, avoiding inline assembly? The assembly doesn't bother me much (if I knew a little more about what I was doing with it), but it would be nice to use C since it's more portable.

Thanks


(Toggle Plain Text) 
int main() {
	typedef int (*fadd)(int, int);

	/* code for function:    int add(int a, int b) { return a+b; } */
	byte block[] = {
			0x55,                      //push   %ebp
			0x89, 0xe5,                //mov    %esp,%ebp
			0x8b, 0x45, 0x0c,          //mov    0xc(%ebp),%eax
			0x03, 0x45, 0x08,          //add    0x8(%ebp),%eax
			0xc9,                      //leave  
			0xc3,                      //ret    
			0x90,                      //nop    
			0x8d, 0x74, 0x26, 0x00     //lea    0x0(%esi),%esi
	};
	int pagesize;
	int i;
	
	pagesize = getpagesize();
	if (mprotect((block - ((long)block % pagesize)), 16, PROT_EXEC) == -1) {
		perror("mprotect()");
		return 0;
	}

	fadd fptr = block;
	i = (*fptr)(1, 2);
	printf("fptr = %i\n", i);	
	
	return 0;
Last edited by para; Jan 3rd, 2006 at 6:04 PM.
para is offline   Reply With Quote
Old Jan 4th, 2006, 1:52 PM   #2
jim mcnamara
Hobbyist Programmer
 
Join Date: Jun 2005
Location: New Mexico
Posts: 228
Rep Power: 4 jim mcnamara is on a distinguished road
google for shellcode. You are having protection problems

or

find a copy of Jack Koziol's 'Shellcoder's Handbook'

A lot of exploits begin by executing code injected into various parts of memory.
jim mcnamara is offline   Reply With Quote
Reply

Bookmarks

« Previous Thread in Forum | Next Thread in Forum »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


Contact Us - DaniWeb IT Discussion Community - Privacy Statement - Top


DaniWeb IT Discussion Community
All times are GMT -5. The time now is 12:45 AM.

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC