C中的自定义外壳代码?
我正在尝试开发一个外壳代码,它将执行以下命令C中的自定义外壳代码?,c,nasm,shellcode,C,Nasm,Shellcode,我正在尝试开发一个外壳代码,它将执行以下命令/bin/ls/(列出根目录) 因此,我首先尝试在assembly中开发一个脚本来为我完成这项工作,下面是脚本: SECTION .data buf: db "./", 0 SECTION .text global _start _start: xor eax, eax xor edx, edx push eax push long 0x736c2f2f ; "sl/" push long 0x6
/bin/ls/
(列出根目录)
因此,我首先尝试在assembly中开发一个脚本来为我完成这项工作,下面是脚本:
SECTION .data
buf: db "./", 0
SECTION .text
global _start
_start:
xor eax, eax
xor edx, edx
push eax
push long 0x736c2f2f ; "sl/"
push long 0x6e69622f ; "nib/"
mov ebx, esp
push eax
push byte 0x2f
mov esi, esp
push eax
push esi
push ebx
mov ecx, esp
mov eax, 0x0b
int 0x80
mov eax, 1
int 0x80
然后我用以下代码编译:nasm-f elf-gshell.asm和&ld-s-oshell.o-melf_i386
。这非常有效,如果执行,它将列出根目录
然后,我使用objdump
反汇编二进制文件以获得操作码:
#objdump -d ./shell
./shell: file format elf32-i386
Disassembly of section .text:
08049000 <.text>:
8049000: 31 c0 xor %eax,%eax
8049002: 31 d2 xor %edx,%edx
8049004: 50 push %eax
8049005: 68 2f 2f 6c 73 push $0x736c2f2f
804900a: 68 2f 62 69 6e push $0x6e69622f
804900f: 89 e3 mov %esp,%ebx
8049011: 50 push %eax
8049012: 6a 2f push $0x2f
8049014: 89 e6 mov %esp,%esi
8049016: 50 push %eax
8049017: 56 push %esi
8049018: 53 push %ebx
8049019: 89 e1 mov %esp,%ecx
804901b: b8 0b 00 00 00 mov $0xb,%eax
8049020: cd 80 int $0x80
8049022: b8 01 00 00 00 mov $0x1,%eax
8049027: cd 80 int $0x80
完成后,如果我执行foo二进制文件,它将执行程序,但不列出根目录
我将nasm与以下arc一起使用:
Linux-kali 5.2.0-kali2-amd64#1 SMP-Debian 5.2.9-2kali1(2019-08-22)x86_64 GNU/Linux
请看它在我身上运行得很好!
#include<stdio.h>
#include<string.h>
unsigned char shellcode[] = "\x31\xc0\x31\xd2\x50\x68\x2f\x2f\x6c\x73\x68\x2f\x62\x69\x6e\x89\xe3\x50\x6a\x2f\x89\xe6\x50\x56\x53\x89\xe1\xb8\x0b\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xcd\x80";
int main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
# gcc -g -o foo foo.c -z execstack -fno-stack-protector
foo.c: In function ‘main’:
foo.c:9:11: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
9 | (*ret) = (int)shellcode;
|