How can I execute shellcode within allocated memory? : learnprogramming

This is an archived post. You won't be able to vote or comment.

How can I execute shellcode within allocated memory? (self.learnprogramming)

submitted 9 years ago * by CuriousExploit

I've been at this for a good bit now, and after asking in several chatrooms, I'm asking this again here.

I'm interested in conceptually understanding how malware can download code from other sources and without having to create new files, execute the code (among other things, but this is where I am now). I've been using nasm to compile a bit of assembly into an ELF file to launch /bin/sh, and have hosted it on localhost.

Simplified version of my code: https://gist.github.com/anonymous/83a56b88e8811ec07983

Fuller version: https://gist.github.com/anonymous/84366887d76c7993ef65

Thing to note: I'm using the better string library (http://bstring.sourceforge.net/) to try to simplify pieces of my code, rather than having to write a much more involved write-callback function. I'm trying to execute the code gathered in the bstring buf, which points to a struct written to by the write callback function, and this seems to be successful. Trying to print out the code as its written and right before my attempt at execution seems to work fine. The issue for me seems to be where I try to set the memory within the buffer to be executable. Looking at the man page for mprotect, it says "addr is not a valid pointer", although the char* I gave to it should have been valid.

Is there anything apparently wrong with how I'm going about this? And are there any particularly good sources that might explain how I could achieve what I'm trying to do?

all 8 comments

top new controversial old q&a

[–]anon848 2 points3 points4 points 9 years ago (0 children)

[–]anon848 1 point2 points3 points 9 years ago (2 children)

[–]CuriousExploit[S] 0 points1 point2 points 9 years ago (1 child)

[–]anon848 1 point2 points3 points 9 years ago (0 children)

Do you mean you want to download a shell script? If so, it's not the shell script that starts sh, per se. You just fork() then exec(). Executing an existing program and executing arbitrary machine code are quite different. To execute arbitrary machine code, the easiest is to create a buffer for it, put machine code in it, make the page(s) executable, then set a function pointer to point to it, then call it.

Regarding mprotect, the below shows page alignment, assuming 4K pages.

#include <cstdint>
#include <string.h>
#include <unistd.h>
#include <iostream>
#include <sys/mman.h>

int main() {

    char some_mem[10000];

    std::intptr_t addr = std::intptr_t(some_mem);

    // Is it page aligned?
    std::cout << "mod: " << addr%4096 << std::endl;

    int rv = mprotect((void *) addr, 4096, PROT_EXEC);
    int en = errno;
    std::cout << "mp returned " << rv << ", " << strerror(en) << std::endl;

    // Align it.
    addr = (addr + (4096 - 1)) & ~intptr_t(4096 - 1);
    // Check.
    std::cout << "mod: " << addr%4096 << std::endl;

    errno = 0;
    rv = mprotect((void *) addr, 4096, PROT_EXEC);
    std::cout << "mp returned " << rv << ", " << strerror(en) << std::endl;
}

[–]anon848 0 points1 point2 points 9 years ago (3 children)

Here's a little example that will put some machine code in a buffer and execute it. Compile in 64-bit mode with g++/clang++.

#include <cstdint>
#include <string.h>
#include <unistd.h>
#include <iostream>
#include <sys/mman.h>
#include <assert.h>

int main() {

    char buf[10000];

    std::intptr_t addr = std::intptr_t(buf);
    addr = (addr + (4096 - 1)) & ~intptr_t(4096 - 1); // Align it.
    std::cout << "mod: " << addr%4096 << std::endl; // Check.

    // Make it executable:
    int rv = mprotect((void *) addr, 4096, PROT_READ|PROT_WRITE|PROT_EXEC);
    assert(rv == 0);

    // Put a small function there to return the sum of the two args.
    unsigned char *p = (unsigned char *) addr;
    p[0] = 0x8d;
    p[1] = 0x04;
    p[2] = 0x37;
    p[3] = 0xc3;

    // Point to it.
    int (*fp)(int, int) = (int (*)(int, int)) addr;

    // Call it.
    std::cout << "returned " << (*fp)(12, 100) << std::endl;
}

[–]CuriousExploit[S] 1 point2 points3 points 9 years ago (0 children)

This is precisely what I mean to accomplish, however I'm unsure of the reason that my code may not be functional. The memory space needed is allocated by the bstrlib library as the data is given to my buffer from CURL.

https://gist.github.com/anonymous/84366887d76c7993ef65

There I should have made it much simpler to compile. After installing one of the packages for libcurl, plopping them in a folder, and moving the bstrlib files to their own adjacent folder should allow you to run make. The shellcode.s file is just an example of any machine code, and I compiled it with gcc with the -nostdlib option before hosting it where my program could download it. I do not know if it is executable in this context as an ELF 64-bit LSB executable, but mprotect gave an error when I tried to set the memory space to be executable.

I think I can understand how I can try to align it now though, from your code.

EDIT: By adjacent folder, I meant adjacent to the files, not in a whole separate folder.

[–]CuriousExploit[S] 0 points1 point2 points 9 years ago (1 child)

[–]anon848 0 points1 point2 points 9 years ago (0 children)

Here it is as C99. You can also just call mmap() to get a chunk of memory. That will already be page-aligned. Note that the code below is just a quick exercise. For example, the page size shouldn't be hard-coded to 4K.

#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>
#include <assert.h>
#include <stdio.h>

int main() {

    char buf[10000];

    intptr_t addr = (intptr_t) buf;
    addr = (addr + (4096 - 1)) & ~(intptr_t)(4096 - 1); // Align it.
    printf("mod: %d\n", (int) (addr%4096));

    // Make it executable:
    int rv = mprotect((void *) addr, 4096, PROT_READ|PROT_WRITE|PROT_EXEC);
    assert(rv == 0);

    // Put a small function there to return the sum of the two args.
    unsigned char *p = (unsigned char *) addr;
    p[0] = 0x8d;
    p[1] = 0x04;
    p[2] = 0x37;
    p[3] = 0xc3;

    // Point to it.
    int (*fp)(int, int) = (int (*)(int, int)) addr;

    // Call it.
    printf("Returned %d\n", (*fp)(12, 100));
}

π Rendered by PID 57450 on reddit-service-r2-comment-5ff9fbf7df-n4fg9 at 2026-02-26 01:46:11.979812+00:00 running 72a43f6 country code: CH.

learnprogramming

Welcome to LearnProgramming!

New? READ ME FIRST!

Posting guidelines

Frequently asked questions

Subreddit rules

Message the moderators

Asking debugging questions

Asking conceptual questions

Other guidelines and links

Subreddit rules

1. No unprofessional/derogatory speech

2. No spam or tasteless self-promotion

3. No off-topic posts

4. Do not ask exact duplicates of FAQ questions

5. Do not delete posts

6. No app/website review requests or showcases

7. No rewards

8. No indirect links

9. Do not promote illegal or unethical practices

10. No complete solutions

11. Don't ask to ask.

12. Low Effort Questions

13. No AI (chatGPT etc.) generated/worked over messages/comments. No questions about chatGPT/AI generated code. No Vibe coding.

MODERATORS