[英]Shellcode C Program Harness
很难使基本的Shellcode程序/测试C程序正常工作。 当我自己运行程序(nasm和ld)时,汇编程序(如下所示)似乎可以正常工作---它打开一个名为key的文件,一次读取1个字节,并将其显示到stdout。
我已经获取了该asm文件,并将十六进制编码提取为硬编码到我的C语言程序中的一个名为assn1 []的char []中,并使用函数指针执行了代码,但最终出现了段错误。 为了确保我不发疯,我添加了另一个名为shellcode []的char [],该字符可容纳用于弹出外壳的十六进制(aleph1),这似乎还可以。 我在运行C可执行文件之前先调用execstack -s。
任何帮助将不胜感激! 我现在已经花了几个小时了...
assn1.asm -------
jmp short bottom ; relative addressing start
top:
; setup params for open()
pop ebx ; param1 ebx now holds 'key'
xor ecx, ecx ; param2 ecx corresponds to flag O_RDONLY
; param3 edx not required for existing file
xor eax, eax ; clear eax to 0
mov al, 5 ; syscall open()
int 0x80 ; software interrupt to call open()
; returns int filedescriptor in eax
; setup params for read() and write()
mov ebx, eax ; param1 ebx now holds filedescriptor
sub esp, 1 ; allocate buffer of 1 bytes on stack
mov ecx, esp ; param2 ecx now points to buffer
xor edx, edx ; clear edx
inc edx ; param3 edx set to 1 byte to be read
rwloop:
xor eax, eax ; clear eax
mov al, 3 ; syscall code for read()
int 0x80 ; read() 1 byte into buffer
test eax,eax ; if eax=0, read() reached EoF
jz end ; and stop reading/writing
; else get ready to write
push ebx ; store filedescriptor for KEY onto stack
xor ebx, ebx ; clear ebx
inc ebx ; param1 ebx = 1 for stdout
; param2 and param3 same from read()
xor eax, eax ; clear eax
mov al, 4 ; syscall for write()
int 0x80
pop ebx ; restore filedescriptor to ebx
jmp rwloop
end:
; place esp back to original point on stack
; add esp, 1
; exit cleanly
xor ebx,ebx ; retcode = 1
xor eax,eax ; eax = 0
inc eax ; eax = 1, syscall exit(1)
int 0x80
bottom:
call top ; address of key pushed on stack
db 'key', 0
assn1_harness.c-
#include <sys/mman.h>
#include <stdio.h>
#include <stdlib.h>
// The trailing null byte is implied because this is a string
char shellcode[] = {
"\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd"
"\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68"
};
char assn1[] = {
"\xeb\x43\x66\x5b\x66\x31\xc9\x66\x31\xc0\xb0\x05\xcd\x80\x66\x89"
"\xc3\x66\x83\xec\x01\x66\x89\xe1\x66\x31\xd2\x66\x42\x66\x31\xc0"
"\xb0\x03\xcd\x80\x66\x85\xc0\x74\x12\x66\x53\x66\x31\xdb\x66\x43"
"\x66\x31\xc0\xb0\x04\xcd\x80\x66\x5b\xeb\xe2\x66\x31\xdb\x66\x31"
"\xc0\x66\x40\xcd\x80\xe8\xba\xff\x6b\x65\x79"
};
int main (int argc, char **argv) {
int (*func)();
//func = (int (*)()) shellcode;
func = (int (*)()) assn1;
(*func)();
return 0;
}
您的机器代码是错误的,它似乎被汇编为16位代码。 你忘了bits 32
。
这样效果更好:
char assn1[] = {
"\xeb\x31\x5b\x31\xc9\x31\xc0\xb0\x05\xcd\x80\x89\xc3\x83\xec\x01"
"\x89\xe1\x31\xd2\x42\x31\xc0\xb0\x03\xcd\x80\x85\xc0\x74\x0d\x53"
"\x31\xdb\x43\x31\xc0\xb0\x04\xcd\x80\x5b\xeb\xe9\x31\xdb\x31\xc0"
"\x40\xcd\x80\xe8\xca\xff\xff\xff\x6b\x65\x79"
};
学习使用调试器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.