2

The typical structure of executing shell code is the following-: (The code snippet is taken from here)

char shellcode[] = "";             /* global array */
int
main (int argc, char **argv)
{
        int (*ret)();              /* ret is a function pointer */
        ret = (int(*)())shellcode; /* ret points to our shellcode */
                                   /* shellcode is type caste as a function */
        (int)(*ret)();             /* execute, as a function, shellcode[] */
        exit(0);                   /* exit() */
}

Why not use asm(inline assembler) to execute shellcode ? It is then much more simpler than doing pointer acrobatics such as converting an array to a function pointer and then executing that array as a function ?

Is there any drawbacks of using the assembler ? And are there any particular advantage of using an array to execute shell code ?

Improve this question
1
  • Inline assembly is compiler dependent and even you fit for every syntax with macros, it may behave different because optimization. Using this way is more easy and predictable.
    – Kerim Can Kalıpcıoğlu
    Commented Mar 22, 2017 at 13:10

3 Answers 3

Reset to default
4

This execute-from-array method is used to test shellcodes in bytes format, which is often the way shellcodes are provided (see http://shell-storm.org/shellcode/). It also emulates the usual way shellcodes are being used in an exploit.

Inline assembly is compiler dependent and shellcode developers might use assemblers directly such as nasm or MASM. However if you are developing your own shellcode there is nothing stopping you from using inline assembly, just keep in mind that the shellcode must be position independent.

Improve this answer
1
  • 1
    Why is it necessary to have the array declared as global ? Will any harm come if it is declared locally in main()
    – Sreyan
    Commented Sep 25, 2014 at 13:35
1

The article you quote is about writing new shellcode to be used in exploits later. The specific snippet is about testing the shellcode. It does not really matter much how you jump to it in your test rig.

In addition, the method from the article lets you test binary shellcode, which is usually all you have when creating an exploit payload.

Improve this answer
0

Because, this technique would require to rewrite the code of the program...

And, most of the time, you cannot rewrite the .text section... You only have access to the data stored in the stack and/or the heap. That is why we use ROP.

Improve this answer
3
  • why is it so important to execute our code from the .TEXT section? What harm will come if we execute it from the .CODE section ?
    – Sreyan
    Commented Sep 23, 2014 at 15:32
  • .text == .code
    – perror
    Commented Sep 23, 2014 at 19:16
  • In real life do all shellcodes need to be executed from the .TEXT section ? What is the matter if I patch the .CODE section of an executable and place my shellcode there ? Does that destroy position independency ? Why use ROP in the first place ?
    – Sreyan
    Commented Sep 25, 2014 at 13:37

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.