
Shellcode Injection - piyush8311
https://dhavalkapil.com/blogs/Shellcode-Injection/
======
cedricvg
Almost every program nowadays is compiled with W^X (--no_execstack) by default
which means the memory is not executable and writable at once (Windows
equivalent is DEP). Still a good example of how a basic overflow can lead to
arbitrary code execution. A follow-up post using ROP or return-to-libc would
be interesting, with W^X enabled.

~~~
vampire_dk
I'll try it next. Thanks for the suggestion :)

------
juanuys
My favourite resource for these types of exploits used to be phiral.com (see
Wayback Machine circa March 2007 [1], since it doesn't exist anymore),
belonging to author Jon Erickson who wrote "Hacking: the Art of Exploitation"
[2].

[1]
[https://web.archive.org/web/20070305111749/http://phiral.com...](https://web.archive.org/web/20070305111749/http://phiral.com/)

[2]
[https://en.wikipedia.org/wiki/Hacking:_The_Art_of_Exploitati...](https://en.wikipedia.org/wiki/Hacking:_The_Art_of_Exploitation)

~~~
vampire_dk
This book is quite good. It was my first introduction in this area.

------
trampi
The same author refers to another article of him, in which he explains the
basics of buffer overflows quite nice. [https://dhavalkapil.com/blogs/Buffer-
Overflow-Exploit/](https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/)

------
dimdimdim
Here are 2 good courses on Assembly and Shellcoding on x86 and x86_64 if you
are interested:

[http://www.pentesteracademy.com/topics?v=nhr](http://www.pentesteracademy.com/topics?v=nhr)

------
Ecco
Why "echo 0 | dd of=foo" and not simply "echo 0 > foo"?

~~~
nautical

        echo 0 > foo //wont work with sudo ..
        sudo echo 0 > foo //will fail ... 
        sudo sh -c 'echo 0 > file' //If you want echo with sudo
    

else what author has done is right

~~~
tomsthumb
piping to `sudo tee <fname>` is also a nice alternative

------
dmeeze
I must be missing something. If you can create an executable which is suid you
already have root...

~~~
anewhnaccount
The scenario is someone else has set setuid on an executable which is
vulnerable to buffer overflows.

------
amenod
> ... -fno-stack-protector -z execstack

Does anyone know how common stack protector is in the wild?

~~~
pm24601
From the responses to this stackoverflow question:
[http://stackoverflow.com/questions/1629685/when-and-how-
to-u...](http://stackoverflow.com/questions/1629685/when-and-how-to-use-gccs-
stack-protection-feature)

The protection only protects under some circumstances not all. So this demo
still seems valid. Also the protection comes at a cost of extra code (and
extra execution time).

This means to me that any IoT device probably does not have stack protection.

~~~
0x0539
Actually, this demo would be stopped if the stack protector was on. The demo
relies upon overwriting the return pointer that controls where the function
jumps to upon returning.

The stack protector acts as a guard against overwriting that value without
knowing a key that is stored elsewhere in memory. You'd need some memory
disclosure issue to get the key or brute force the key.

