shellcode
来源:互联网 发布:淘宝cos店推荐 编辑:程序博客网 时间:2024/04/27 23:23
这里,我们将编写一个非常简单的shellcode,它的功能是得到一个命令行。我们将从该shellcode的C程序源码开始,逐步构造并提取shellcode。
该shellcode的C程序源码为:
1. root@linux:~/pentest# cat shellcode.c
2.#include <stdio.h>
3.
4.int main(int argc, char **argv) {
5.
6. char *name[2];
7. name[0] = "/bin/bash";
8. name[1] = NULL;
9.
10. execve(name[0], name, NULL);
11.
12. return 0;
13.}
为了避免链接干扰,静态编译该shellcode,命令为:
root@linux:~/pentest# gcc -static -g -o shellcode shellcode.c
下面使用gdb调试并分析一下shellcode程序:
1. root@linux:~/pentest# gdb shellcode
2.GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
3.Copyright (C) 2010 Free Software Foundation, Inc.
4.License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
5.This is free software: you are free to change and redistribute it.
6.There is NO WARRANTY, to the extent permitted by law. Type "show copying"
7.and "show warranty" for details.
8.This GDB was configured as "i686-linux-gnu".
9.For bug reporting instructions, please see:
10.<http://www.gnu.org/software/gdb/bugs/>...
11.Reading symbols from /root/pentest/shellcode...done.
12.(gdb) disass main
13.Dump of assembler code for function main:
14. 0x080482c0 <+0>: push %ebp
15. 0x080482c1 <+1>: mov %esp,%ebp
16. 0x080482c3 <+3>: and {1}xfffffff0,%esp
17. 0x080482c6 <+6>: sub {1}x20,%esp
18. 0x080482c9 <+9>: movl {1}x80ae428,0x18(%esp)
19. 0x080482d1 <+17>: movl {1}x0,0x1c(%esp)
20. 0x080482d9 <+25>: mov 0x18(%esp),%eax
21. 0x080482dd <+29>: movl {1}x0,0x8(%esp)
22. 0x080482e5 <+37>: lea 0x18(%esp),%edx
23. 0x080482e9 <+41>: mov %edx,0x4(%esp)
24. 0x080482ed <+45>: mov %eax,(%esp)
25. 0x080482f0 <+48>: call 0x8052f10 <execve>
26. 0x080482f5 <+53>: mov {1}x0,%eax
27. 0x080482fa <+58>: leave
28. 0x080482fb <+59>: ret
29.End of assembler dump.
根据程序反汇编得到的代码分析,在call指令执行之前,函数堆栈的使用情况如下图所示:
我们用gdb调试运行shellcode,看我们上面的分析是否完全正确。
1.(gdb) b main
2.Breakpoint 1 at 0x80482c9: file shellcode.c, line 6.
3.(gdb) b *main+48
4.Breakpoint 2 at 0x80482f0: file shellcode.c, line 9.
5.(gdb) r
6.Starting program: /root/pentest/shellcode
7.
8.Breakpoint 1, main (argc=1, argv=0xbffff474) at shellcode.c:6
9.6 name[0] = "/bin/bash";
10.(gdb) x/s 0x80ae428
11.0x80ae428: "/bin/bash"
12.(gdb) c
13.Continuing.
14.
15.Breakpoint 2, 0x080482f0 in main (argc=1, argv=0xbffff474) at shellcode.c:9
16.9 execve(name[0], name, NULL);
17.(gdb) x/4bx $ebp-40
18.0xbffff3b0: 0x28 0xe4 0x0a 0x08
19.(gdb) x/4bx $ebp-36
20.0xbffff3b4: 0xc8 0xf3 0xff 0xbf
21.(gdb) x/4bx $ebp-32
22.0xbffff3b8: 0x00 0x00 0x00 0x00
23.(gdb) x/4bx $ebp-12
24.0xbffff3cc: 0x00 0x00 0x00 0x00
25.(gdb) x/4bx $ebp-16
26.0xbffff3c8: 0x28 0xe4 0x0a 0x08
27.(gdb)
本篇文章来源于 Linux公社网站(www.linuxidc.com) 原文链接:http://www.linuxidc.com/Linux/2011-10/44764.htm
- shellcode
- Shellcode
- Shellcode
- shellcode
- shellcode
- shellcode
- Shellcode
- shellcode
- shellcode
- Shellcode
- Shellcode
- shellcode
- shellcode
- Shellcode
- shellcode 调试
- 提取shellcode
- ShellCode生成器
- Metaspolit-shellcode
- STDIN_FILENO与stdin的区别与作用
- android apk源代码反编译
- 12306窘境的启示
- objective_c 单例模式Singleton
- android Uri.Buildr 与string 互转
- shellcode
- 英语练习64 The hare and the turtle
- FILE *文件指针 粗略介绍
- Linux权限详解
- 2012中国企业 对云计算关注度及驱动力调查报告
- AS方式重写Flex组件常规步骤
- Java串行化机制
- 4讲 图像 表格 实际应用-菜谱 课堂练习-课程表
- Android ApiDemos示例解析(189):Views->ScrollBars->2.Fancy