DII
DevHeads IoT Integration Server4mo ago
Marvee Amasi

Issues with 64-bit DLL Injection Shellcode on OpenBSD Ignoring Integer Pushes

I want to inject a 64 bit DLL into a 64 bit process on OpenBSD. The shellcode needs to push several 64 bit values onto the stack, including the old instruction pointer, the address of the DLL, and the address of the LoadLibrary function. 
section .text
global _start

_start:
    push qword 0xACEACEACACEACEAC  ; instruction pointer
    pushfq
    push rax
    push qword 0xACEACEACACEACEAC  ; address of the DLL
    mov rax, 0xACEACEACACEACEAC  ; address of LoadLibrary
    call rax
    pop rax
    popfq
    ret
section .text
global _start

_start:
    push qword 0xACEACEACACEACEAC  ; instruction pointer
    pushfq
    push rax
    push qword 0xACEACEACACEACEAC  ; address of the DLL
    mov rax, 0xACEACEACACEACEAC  ; address of LoadLibrary
    call rax
    pop rax
    popfq
    ret
When I assemble and run this code : 
nasm -f elf64 -o shellcode.o shellcode.asm
ld -o shellcode shellcode.o
nasm -f elf64 -o shellcode.o shellcode.asm
ld -o shellcode shellcode.o
It seems to be ignoring the 64 bit integer pushes. My assembly syntax should be correct and I have checked that there are no other errors in the code. I've also tried different values for the 64-bit integers, but the issue persists. Any insights ?
Solution:
@Marvee Amasi The issue with your shellcode on OpenBSD is likely due to security features like W^X, which prevents memory regions from being writable and executable simultaneously, and strict requirements for stack alignment. To address this, ensure that the memory region containing your shellcode is executable using mprotect if necessary. Also, make sure the stack is 16-byte aligned before calling LoadLibrary to meet the x86-64 ABI requirements. Verify that NASM correctly encodes the push instructions by checking the output with a disassembler, and ensure you are using the correct assembler and linker flags for 64-bit mode. Debugging with a tool like gdb can also help trace the execution and confirm that the 64-bit values are pushed correctly onto the stack....
Jump to solution
2 Replies
Solution
Enthernet Code
Enthernet Code4mo ago
@Marvee Amasi The issue with your shellcode on OpenBSD is likely due to security features like W^X, which prevents memory regions from being writable and executable simultaneously, and strict requirements for stack alignment. To address this, ensure that the memory region containing your shellcode is executable using mprotect if necessary. Also, make sure the stack is 16-byte aligned before calling LoadLibrary to meet the x86-64 ABI requirements. Verify that NASM correctly encodes the push instructions by checking the output with a disassembler, and ensure you are using the correct assembler and linker flags for 64-bit mode. Debugging with a tool like gdb can also help trace the execution and confirm that the 64-bit values are pushed correctly onto the stack.
Marvee Amasi
Marvee Amasi4mo ago
Oh thanks Was able to fix it I also had a typo .hex_str: ... Had to remove the leading dot.
Want results from more Discord servers?
Add your server