4

I'm studying the basics of making shell codes. I have a question about it.

In my textbook, the author stores his shell code in an environment variable, and injects the address of it using strcpy() in a program.
When he makes his shell code, he removes null bytes. He says that this is because strcpy() will stop at null bytes.

However, I think, because strcpy() just gets the address of the environment variable (storing his shell code), if his shell code has null bytes, it doesn't matter. I think that his goal is to change the return address into the path of environment variable.
In the textbook, a shell code which has null bytes doesn't work in this situation, but a null-free shell code does.
I can't understand the reason why we need to remove null bytes in this situation.

John Smith
  • 41
  • 1
  • 3

2 Answers2

2

You are correct in this situation; strcpy will indeed stop reading when it reaches a null byte, but this only needs to be done to shellcode that is passed directly to a string function that expects null-terminated strings. Of course, null bytes are valid machine code.

Since you are only injecting the address to your payload and not the actual payload itself, strcpy will not be reading the payload, as you have surmised.

Perhaps the author made a simple mixup; there certainly may be scenarios where it is desirable to pass the entire payload through something like strcpy, in which case you would indeed need to deal with the null bytes.

See this answer for some history.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
0

A null terminator is a method of “secure” coding because it is assumed that the string has ended once a null byte is read. This supposedly helps prevent buffer overflows, and other such issues. In the case of string copy, the function will go to the memory address you specify, read a byte of data, and write it to the new location. It will increment the memory addresses and copy the values until it reads null and the function will exit.

If you have a null value in your shell code, when it goes through the strcpy() the function will assume the null in your shell code is the end of the string and exit, leaving your shell code copy incomplete.

SuperAdmin
  • 320
  • 1
  • 11
  • Thank you for answer. In this case, `strcpy()` does not get his shell code directly, does it? I think that the return address will change into the address of the environment variable, and the shell code is executed. So, if the address of the environment variable has null bytes, I can understand it doesn't work. – John Smith Apr 30 '18 at 02:12