Linux Shellcode“你好,世界!" [英] Linux Shellcode "Hello, World!"
问题描述
我有以下有效的 NASM 代码:
全局 _start节.text_开始:移动 eax, 0x4移动 ebx, 0x1mov ecx, 消息移动 edx, 0xF整数 0x80移动 eax, 0x1移动 ebx, 0x0整数 0x80.data 节消息:db "Hello, World!", 0dh, 0ah
将Hello, World! "打印到屏幕上.我还有以下 C 包装器,其中包含以前的 NASM 对象代码:
字符代码[] ="xb8x04x00x00x00""xbbx01x00x00x00""xb9x00x00x00x00""xbax0fx00x00x00""xcdx80xb8x01x00""x00x00xbbx00x00""x00x00xcdx80";int main(void){(*(void(*)())code)();}
然而,当我运行代码时,似乎没有执行汇编代码,但程序退出正常.有什么想法吗?
谢谢
当你注入这个 shellcode 时,你不知道 message
是什么:
mov ecx, 消息
在注入的过程中,它可以是任何东西,但不会是 "Hello world!
"
因为它在数据部分,而您只转储文本部分.你可以看到你的shellcode没有"Hello world!
"
:
xb8x04x00x00x00"xbbx01x00x00x00"xb9x00x00x00x00"xbax0fx00x00x00"xcdx80xb8x01x00"x00x00xbbx00x00"x00x00xcdx80";
这是shellcode开发中的常见问题,解决方法如下:
全局 _start节.text_开始:jmp 消息;1) 让我们跳到 MESSAGE回去:移动 eax, 0x4移动 ebx, 0x1流行 ecx ;3)我们正在进入`ecx`,现在我们有了;Hello, World!
"的地址移动 edx, 0xF整数 0x80移动 eax, 0x1移动 ebx, 0x0整数 0x80信息:调用GOBACK ;2)我们要回去了,因为我们使用了`call`,这意味着;返回地址,在这种情况下是地址;Hello, World!
",被推入堆栈.db "Hello, World!", 0dh, 0ah.data 节
现在转储文本部分:
$ nasm -f elf shellcode.asm$ ld shellcode.o -o shellcode$ ./shellcode你好世界!$ objdump -d shellcodeshellcode:文件格式 elf32-i386.text 节的反汇编:08048060 <_开始>:8048060: e9 1e 00 00 00 jmp 8048083 <MESSAGE>08048065 <GOBACK>:8048065: b8 04 00 00 00 mov $0x4,%eax804806a:bb 01 00 00 00 mov $0x1,%ebx804806f:59 流行%ecx8048070:ba 0f 00 00 00 mov $0xf,%edx8048075:cd 80 int $0x808048077: b8 01 00 00 00 mov $0x1,%eax804807c:bb 00 00 00 00 mov $0x0,%ebx8048081:cd 80 int $0x8008048083 <留言>:8048083:e8 dd ff ff ff 呼叫 8048065 <GOBACK>8048088:48 dec %eax <-+8048089:65 克 |804808a: 6c insb (%dx),%es:(%edi) |804808b: 6c insb (%dx),%es:(%edi) |804808c: 6f outsl %ds:(%esi),(%dx) |804808d: 2c 20 sub $0x20,%al |804808f:57 推%edi |8048090: 6f outsl %ds:(%esi),(%dx) |8048091: 72 6c jb 80480ff <MESSAGE+0x7c>|8048093:64 秒 |8048094: 21 .byte 0x21 |8048095: 0d .byte 0xd |8048096: 0a .byte 0xa <-+$
我标记的行是我们的"Hello, World!
"
字符串:
$ printf "x48x65x6cx6cx6fx2cx20x57x6fx72x6cx64x21x0dx0a"你好世界!$
所以我们的 C 包装器将是:
字符代码[] =xe9x1ex00x00x00"//jmp(相对)xb8x04x00x00x00"//移动 $0x4,%eaxxbbx01x00x00x00"//移动 $0x1,%ebxx59"//弹出 %ecxxbax0fx00x00x00"//移动 $0xf,%edxxcdx80"//整数 $0x80xb8x01x00x00x00"//移动 $0x1,%eaxxbbx00x00x00x00"//移动 $0x0,%ebxxcdx80"//整数 $0x80xe8xddxffxffxff"//调用(相对)你好世界!
";//或 x48x65x6cx6cx6fx2cx20x57";//"x6fx72x6cx64x21x0dx0a";int main(int argc, char **argv){(*(void(*)())code)();返回0;}
让我们测试一下,使用 -z execstack
启用 read-implies-exec (process-宽,尽管名称中有堆栈"),所以我们可以在 .data
或 .rodata
部分执行代码:
$ gcc -m32 test.c -z execstack -o test$ ./测试你好世界!
它有效.(-m32
在 64 位系统上也是必需的.int $0x80
32 位 ABI 不适用于像 这样的 64 位地址.Rodata
在 PIE 可执行文件中.另外,机器代码是为 32 位汇编的.碰巧的是,相同的字节序列会在 64 位模式下解码为等效的指令,但情况并非总是如此.)>
现代 GNU ld
将 .rodata
放在与 .text
不同的段中,因此它可以是不可执行的.过去使用 const char code[]
将可执行代码放入一页只读数据中就足够了.至少对于不想修改自己的shellcode.
I have the following working NASM code:
global _start
section .text
_start:
mov eax, 0x4
mov ebx, 0x1
mov ecx, message
mov edx, 0xF
int 0x80
mov eax, 0x1
mov ebx, 0x0
int 0x80
section .data
message: db "Hello, World!", 0dh, 0ah
which prints "Hello, World! " to the screen. I also have the following C wrapper which contains the previous NASM object code:
char code[] =
"xb8x04x00x00x00"
"xbbx01x00x00x00"
"xb9x00x00x00x00"
"xbax0fx00x00x00"
"xcdx80xb8x01x00"
"x00x00xbbx00x00"
"x00x00xcdx80";
int main(void)
{
(*(void(*)())code)();
}
However when I run the code, it seems like the assembler code isn't executed, but the program exits fine. Any ideas?
Thanks
When you inject this shellcode, you don't know what is at message
:
mov ecx, message
in the injected process, it can be anything but it will not be "Hello world!
"
since it is in the data section while you are dumping only the text section. You can see that your shellcode doesn't have "Hello world!
"
:
"xb8x04x00x00x00"
"xbbx01x00x00x00"
"xb9x00x00x00x00"
"xbax0fx00x00x00"
"xcdx80xb8x01x00"
"x00x00xbbx00x00"
"x00x00xcdx80";
This is common problem in shellcode development, the way to work around it is this way:
global _start
section .text
_start:
jmp MESSAGE ; 1) lets jump to MESSAGE
GOBACK:
mov eax, 0x4
mov ebx, 0x1
pop ecx ; 3) we are poping into `ecx`, now we have the
; address of "Hello, World!
"
mov edx, 0xF
int 0x80
mov eax, 0x1
mov ebx, 0x0
int 0x80
MESSAGE:
call GOBACK ; 2) we are going back, since we used `call`, that means
; the return address, which is in this case the address
; of "Hello, World!
", is pushed into the stack.
db "Hello, World!", 0dh, 0ah
section .data
Now dump the text section:
$ nasm -f elf shellcode.asm
$ ld shellcode.o -o shellcode
$ ./shellcode
Hello, World!
$ objdump -d shellcode
shellcode: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: e9 1e 00 00 00 jmp 8048083 <MESSAGE>
08048065 <GOBACK>:
8048065: b8 04 00 00 00 mov $0x4,%eax
804806a: bb 01 00 00 00 mov $0x1,%ebx
804806f: 59 pop %ecx
8048070: ba 0f 00 00 00 mov $0xf,%edx
8048075: cd 80 int $0x80
8048077: b8 01 00 00 00 mov $0x1,%eax
804807c: bb 00 00 00 00 mov $0x0,%ebx
8048081: cd 80 int $0x80
08048083 <MESSAGE>:
8048083: e8 dd ff ff ff call 8048065 <GOBACK>
8048088: 48 dec %eax <-+
8048089: 65 gs |
804808a: 6c insb (%dx),%es:(%edi) |
804808b: 6c insb (%dx),%es:(%edi) |
804808c: 6f outsl %ds:(%esi),(%dx) |
804808d: 2c 20 sub $0x20,%al |
804808f: 57 push %edi |
8048090: 6f outsl %ds:(%esi),(%dx) |
8048091: 72 6c jb 80480ff <MESSAGE+0x7c> |
8048093: 64 fs |
8048094: 21 .byte 0x21 |
8048095: 0d .byte 0xd |
8048096: 0a .byte 0xa <-+
$
The lines I marked are our "Hello, World!
"
string:
$ printf "x48x65x6cx6cx6fx2cx20x57x6fx72x6cx64x21x0dx0a"
Hello, World!
$
So our C wrapper will be:
char code[] =
"xe9x1ex00x00x00" // jmp (relative) <MESSAGE>
"xb8x04x00x00x00" // mov $0x4,%eax
"xbbx01x00x00x00" // mov $0x1,%ebx
"x59" // pop %ecx
"xbax0fx00x00x00" // mov $0xf,%edx
"xcdx80" // int $0x80
"xb8x01x00x00x00" // mov $0x1,%eax
"xbbx00x00x00x00" // mov $0x0,%ebx
"xcdx80" // int $0x80
"xe8xddxffxffxff" // call (relative) <GOBACK>
"Hello wolrd!
"; // OR "x48x65x6cx6cx6fx2cx20x57"
// "x6fx72x6cx64x21x0dx0a"
int main(int argc, char **argv)
{
(*(void(*)())code)();
return 0;
}
Lets test it, using -z execstack
to enable read-implies-exec (process-wide, despite "stack" in the name) so we can executed code in the .data
or .rodata
sections:
$ gcc -m32 test.c -z execstack -o test
$ ./test
Hello wolrd!
It works. (-m32
is necessary, too, on 64-bit systems. The int $0x80
32-bit ABI doesn't work with 64-bit addresses like .rodata
in a PIE executable. Also, the machine code was assembled for 32-bit. It happens that the same sequence of bytes would decode to equivalent instructions in 64-bit mode but that's not always the case.)
Modern GNU ld
puts .rodata
in a separate segment from .text
, so it can be non-executable. It used to be sufficient to use const char code[]
to put executable code in a page of read-only data. At least for shellcode that doesn't want to modify itself.
这篇关于Linux Shellcode“你好,世界!"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!