使用ASM生成shell

时间:2015-03-09 07:26:35

标签: linux assembly x86

我在asm中有以下代码来生成一个shell - 但它崩溃了,给出了Segmentation Fault。你能否说一下可能出现的问题。

jmp short mycall               ; Immediately jump to the call instruction

shellcode:

    pop        esi                ; Store the address of "/bin/sh" in ESI
    xor        eax, eax           ; Zero out EAX
    mov byte   [esi + 7], al      ; Write the null byte at the end of the string

    mov dword  [esi + 8],  esi    ; [ESI+8], i.e. the memory immediately below the string
                                  ;   "/bin/sh", will contain the array pointed to by the
                                  ;   second argument of execve(2); therefore we store in
                                  ;   [ESI+8] the address of the string...
    mov dword  [esi + 12], eax    ; ...and in [ESI+12] the NULL pointer (EAX is 0)
    mov        al,  0xb           ; Store the number of the syscall (11) in EAX
    lea        ebx, [esi]         ; Copy the address of the string in EBX
    lea        ecx, [esi + 8]     ; Second argument to execve(2)
    lea        edx, [esi + 12]    ; Third argument to execve(2) (NULL pointer)
    int        0x80               ; Execute the system call

mycall:

    call       shellcode          ; Push the address of "/bin/sh" onto the stack
    db         "/bin/sh"

1 个答案:

答案 0 :(得分:2)

您的shell代码是正确的。它会在尝试NULL终止字符串的指令上发生段错误,因为.text段现在在包括Linux在内的所有操作系统上都是只读的。

要成功运行代码,您需要使.text部分可写或使堆栈或其他数据存储器可执行。在这里,我演示了后者模拟缓冲区溢出攻击:

buggy.c 

#include <string.h>
#include "shellcode.h"

int main()
{
    char buf[512];
    memcpy(buf, shellcode_bin, shellcode_bin_len);
    ((void(*)(void))buf)();
    return 0;
}

GNUmakefile 

CFLAGS := -Os -Wall -g3 -I.

NASM_FLAGS := -g -f elf

PROGRAMS := $(basename $(wildcard *.asm *.c))

.PHONY: all clean
all: $(PROGRAMS)
%.o: %.asm
    nasm $(NASM_FLAGS) $< -o $@
clean:
    rm -f $(PROGRAMS) *.o core.* shellcode.bin shellcode.h

.DELETE_ON_ERROR:

shellcode: LDFLAGS := -m32 -nostdlib
shellcode.bin: shellcode
    objcopy --only-section=.text -O binary $< $@

shellcode.h: shellcode.bin
    xxd -i $< > $@

buggy: shellcode.h
buggy: CFLAGS += -m32
buggy: buggy.c
    $(CC) $(CFLAGS) $< $(LDFLAGS) -o $@
    execstack -s $@

构建代码

$ make
nasm -g -f elf shellcode.asm -o shellcode.o
cc -m32 -nostdlib  shellcode.o   -o shellcode
objcopy --only-section=.text -O binary shellcode shellcode.bin
xxd -i shellcode.bin > shellcode.h
cc -Os -Wall -g3 -I. -m32 buggy.c -o buggy
execstack -s buggy
rm shellcode.o

示例会话

$ ./buggy
sh-4.3$

备注

  • execstack -s buggy在ELF二进制文件
    • 上设置可执行堆栈标志
  • xxd程序随VIM编辑器一起安装。它位于大多数Linux发行版的vim-common包中。
相关问题
最新问题