Menu
I'm trying to create a main. I compiled my code with:
$ gcc -g3 -o shellcode shellcode.c
But I always get a Segmentation fault (core dumped)
Using GDB, I see that the first instruction is executed correctly, but not the following steps.
pwndbg> b * main
Breakpoint 1 at 0x4020
pwndbg> r
────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────
► 0x555555558020 <main> jmp main+15 <main+15>
↓
0x55555555802f <main+15> call main+2 <main+2>
0x555555558034 <main+20> insb byte ptr [rdi], dx
0x555555558037 <main+23> insb byte ptr [rdi], dx
0x555555558038 <main+24> outsd dx, dword ptr [rsi]
0x555555558039 <main+25> sub al, 0x57
0x55555555803b <main+27> outsd dx, dword ptr [rsi]
0x55555555803c <main+28> jb 0x5555555580aa <0x5555555580aa>
0x55555555803e <main+30> and dword ptr fs:[rax], eax
0x555555558041 <completed> add byte ptr [rax], al
0x555555558043 add byte ptr [rax], al
pwndbg> disass
Dump of assembler code for function main:
=> 0x0000555555558020 <+0>: jmp 0x55555555802f <main+15>
0x0000555555558022 <+2>: push 0x1
0x0000555555558024 <+4>: pop rax
0x0000555555558025 <+5>: mov rdi,rax
0x0000555555558028 <+8>: pop rsi
0x0000555555558029 <+9>: push 0xc
0x000055555555802b <+11>: pop rdx
0x000055555555802c <+12>: syscall
0x000055555555802e <+14>: (bad)
0x000055555555802f <+15>: call 0x555555558022 <main+2>
0x0000555555558034 <+20>: rex.W
0x0000555555558035 <+21>: gs ins BYTE PTR es:[rdi],dx
0x0000555555558037 <+23>: ins BYTE PTR es:[rdi],dx
0x0000555555558038 <+24>: outs dx,DWORD PTR ds:[rsi]
0x0000555555558039 <+25>: sub al,0x57
0x000055555555803b <+27>: outs dx,DWORD PTR ds:[rsi]
0x000055555555803c <+28>: jb 0x5555555580aa
0x000055555555803e <+30>: and DWORD PTR fs:[rax],eax
pwndbg> ni
0x555555558020 <main> jmp main+15 <main+15>
↓
► 0x55555555802f <main+15> call main+2 <main+2>
rdi: 1
rsi: 0x7fffffffdff8 —▸ 0x7fffffffe26d ◂— '/shellcode'
rdx: 0x7fffffffe008 —▸ 0x7fffffffe2ba ◂— 'SHELL=/bin/bash'
rcx: 0x555555557df8 (__do_global_dtors_aux_fini_array_entry) —▸ 0x5555555550e0 (__do_global_dtors_aux) ◂— endbr64
0x555555558034 <main+20> insb byte ptr [rdi], dx
0x555555558037 <main+23> insb byte ptr [rdi], dx
0x555555558038 <main+24> outsd dx, dword ptr [rsi]
0x555555558039 <main+25> sub al, 0x57
0x55555555803b <main+27> outsd dx, dword ptr [rsi]
0x55555555803c <main+28> jb 0x5555555580aa <0x5555555580aa>
0x55555555803e <main+30> and dword ptr fs:[rax], eax
0x555555558041 <completed> add byte ptr [rax], al
0x555555558043 add byte ptr [rax], al
pwndbg> ni
Program received signal SIGSEGV, Segmentation fault.
0x555555558020 <main> jmp main+15 <main+15>
► 0x55555555802f <main+15> call main+2 <main+2>
rdi: 1
rsi: 0x7fffffffdff8 —▸ 0x7fffffffe26d ◂— '/shellcode'
rdx: 0x7fffffffe008 —▸ 0x7fffffffe2ba ◂— 'SHELL=/bin/bash'
rcx: 0x555555557df8 (__do_global_dtors_aux_fini_array_entry) —▸ 0x5555555550e0 (__do_global_dtors_aux) ◂— endbr64
0x555555558034 <main+20> insb byte ptr [rdi], dx
0x555555558037 <main+23> insb byte ptr [rdi], dx
0x555555558038 <main+24> outsd dx, dword ptr [rsi]
0x555555558039 <main+25> sub al, 0x57
0x55555555803b <main+27> outsd dx, dword ptr [rsi]
0x55555555803c <main+28> jb 0x5555555580aa <0x5555555580aa>
0x55555555803e <main+30> and dword ptr fs:[rax], eax
0x555555558041 <completed> add byte ptr [rax], al
0x555555558043 add byte ptr [rax], al
As you can see, the first instruction is executed because we jumped on 0x55555555802f.
I tried using only nop instructions, but the same issue keeps occurring repeatedly.
So someone can help me ? Thanks you
531
asked Mar 04 '26 22:03
Your code is placed in the part of memory which has no execution rights.
You need to place it in the .text section accommodating executable code.
char __attribute__((section(".text"))) main[] = ....
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
