有没有办法为不直接使用系统调用指令的sendfile编写shellcode? [英] Is there a way to write shellcode for sendfile that does not use syscall instruction directly?

问题描述

我正在处理类似 ctf 的挑战，它正在过滤我的 shellcode，以确保我没有 syscall、sysenter 和 int 指令的十六进制值编码，分别为 0x0f05 0x0f34 和 0x80cd.基本上我有一个可以打开文件的shellcode，但它包含系统调用指令.任何有助于理解如何操作它的帮助，因此我仍然可以进行系统调用，而无需将序列 0x0f05 显式放入我的 shellcode 中.

I'm working on a ctf-like challenge and it is filtering my shellcode to make sure I don't have the hex value encodings of the syscall, sysenter and int instructions 0x0f05 0x0f34 and 0x80cd respectively. Basically I have a shellcode that can open a file but it includes the syscall instruction. Any help with understanding how to manipulate it so I can still make syscalls without explicitly putting the sequence 0x0f05 in my shellcode.

lea rdi, _string[rip]
xor rsi, rsi
xor rax, rax
mov al, 2
syscall

我不一定要寻找确切的答案，而只是寻找一些帮助，以了解在运行时操作程序以进行系统调用的一些可能方法.

I'm not necessarily looking for an exact answer but just looking for some help understanding some possible ways to manipulate the program into making a syscall at runtime.

推荐答案

由于您已经可以注入代码，因此您大概将代码放在具有 write+exec 权限的页面中，以便您可以使其自我修改，并存储字节对于一次一个 syscall 指令(因此它们不会作为 imm16 的一部分进行过滤).

Since you can already inject code, you presumably have your code in a page with write+exec permission so you could make it self-modifying, and store the bytes for a syscall instruction one at a time (so they aren't filtered as part of an imm16).

或者更简单，从内存中的 0e 05 ... 开始，并使用 inc byte ptr syscall_location[rip] 将其修改为 0f 05 ....RIP 相对寻址模式意味着您不需要知道要修改的字节的地址，只需知道它的相对距离(汇编器将为您计算).您可能需要向前跳转，以便 rel32 为负并且没有任何零字节.或者把 syscall 指令放在最前面，然后跳回去.

Or even easier, start with 0e 05 ... in memory, and use inc byte ptr syscall_location[rip] to modify it to 0f 05 .... A RIP-relative addressing mode means you don't need to know the address of the byte you want to modify, just it's relative distance (which the assembler will calculate for you). You might need to jump forward so the rel32 is negative and doesn't have any zero bytes. Or put the syscall instruction first and jump back to it.

正如 Sinkmanu 指出的那样，您可能会在进程的内存映射中的某处找到 syscall 指令，在这种情况下，像您用于 ret2reg 的技术可能会起作用.

As Sinkmanu points out, you might find a syscall instruction somewhere in the process's memory map, in which case techniques like you'd use for ret2reg might work.

但是共享库代码相对于可执行文件往往是 ASLRed，除非主可执行文件中有 sendfile 的 PLT 存根，否则您将无法获得动态链接器的帮助来找到它.

But shared library code will tend to be ASLRed relative to the executable, and unless there's a PLT stub for sendfile in the main executable you won't have the dynamic linker's help in finding it.

这篇关于有没有办法为不直接使用系统调用指令的sendfile编写shellcode?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！